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ABSTRACT 


Effective,  inexpensive,  and  realistic  on-going  training  is  required  to  keep  all  Naval 
personnel  proHcient  in  their  fields.  Nowhere  is  this  more  true  than  in  steam  propulsion  en¬ 
gineering  plants.  The  complex  systems  of  valves,  piping,  and  components  require  contin¬ 
ual  refresher  for  watchstanders  to  perform  their  jobs  safely. 

BoilerModel  is  a  qualitative  expert  system  designed  using  model-based  reasoning 
principles  and  implemented  in  Ada.  It  accurately  models  a  1200  psi  D-type  boiler  and  its 
associated  peripherals.  The  use  of  fundamental  intra-component  relationships  (“first  prin¬ 
ciples”)  and  constraint  propagation  result  in  compact  code  because  there  is  no  need  for  the 
extensive  rule  base  found  in  conventional  expert  systems.  Implementation  in  Ada  permits 
the  use  of  concurrent  tasking  to  simulate  simultaneous  valve  propagation  found  in  real- 
world  boiler  systems.  Additionally,  Ada’s  portability  allows  BoilerModel  to  be  compiled 
and  nm  on  virtually  any  machine,  thereby  making  it  an  affordable  and  attractive  comple¬ 
ment  to  shipboard  engineering  training. 
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1.  INTRODUCTION 


The  technical  nature  of  most  U  S.  Navy  jobs  requires  a  substantial  investment  (in 
terms  of  man-hours  lost,  equipment  maintenance,  materials,  etc.)  for  initial  training.  On¬ 
going  training  is  also  required  to  sustain  a  satisfactory  level  of  proficiency.  There  is, 
therefore,  always  a  need  for  effective,  realistic,  and  inexpensive  complements  to 
conventional  schooling  to  maintain  competency.  Nowhere  is  this  more  true  than  for  the 
training  of  steam  propulsion  engineering  plant  operators.  The  complex,  almost  Gordian 
knot  of  valves,  piping,  and  components  is  overwhelming  to  the  novice  and  requires 
continual  refresher  for  qualified  watchstanders  to  perform  their  jobs  effectively  and  safely. 
However,  the  Navy  currently  has  only  one  computerized  steam  plant  simulator  (the 
Propulsion  Plant  Trainer  (PPT)  in  Newport,  R.1,)  and  one  non-specific  stationary  hot  plant 
(at  Great  Lakes  Naval  Station).  “Hands-on”  training  for  prospective  division  officers  and 
department  heads  is  conducted  at  one  of  these  two  facilities,  or  onboard  ships  moored  to  a 
pier. 

A.  STEAM  ENGINEERING  TRAINING  PROBLEMS 

Three  problems  are  evident  with  the  status  quo.  First,  hands-on  training  focuses  on 
proper  (i.e.,  non-catastrophic)  operation  of  the  plant.  With  the  exception  of  the  PPT,  it  is 
too  dangerous  to  both  machinery  and  human  life  to  impose  actual  casualty  situations  on 
steaming  boilers.  Therefore,  most  casualty  control  training  is  either  learned  in  the 
classroom  or  is  simulated.  (Simulated  casualty  control  is  like  kissing  one’s  own  sister;  it 
isn’t  quite  the  same  thing). 

The  second  problem  is  that  training  platforms  are  expensive  to  maintain.  Machinery 
at  the  hot  plant  and  onboard  ships  breaks.  The  PPT  undergoes  physical  changes  to  match 
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real-world  ship  alterations,  and  these  changes  often  require  software  updates.  Additionally, 
building  a  PPT  for  the  West  Coast  (to  fill  the  training  gap)  would  be  a  multiinillion  dollar 
expenditure.  Both  the  hot  plant  and  “school  ships”  bum  fuel  while  training.  This  fuel  could 
be  better  used  getting  the  ships  and  their  crews  underway  conducting  at-sea  operations 
(where  they  should  be  in  the  tirst  place). 

The  third  problem  is  that  plant  line-up  changes  and  casualty  restoration  is  very  time 
consuming.  With  the  exception  of  the  PPT  (where  restoration  is  instantaneous), 
prospective  engineering  officers  spend  much  of  their  time  on  the  deckplates  answering 
questions  from  the  instructors  and  not  learning  by  doing.  While  this  problem  is  non¬ 
existent  in  the  PPT,  there  is  only  one  PPT.  The  few  steam  ships  stationed  in  Newport  are 
virtually  the  only  ones  that  can  afford  to  ser  d  watch  teams  to  the  trainer. 

B.  RESEARCH  QUESTIONS 

The  problems  with  current  on-going  fleet  steam  engineering  training  form  the 
background  for  the  following  questions  posed  by  this  thesis. 

First,  can  an  expen  system  be  developed  that  effectively  and  efficiently  models  boiler 
operation?  If  so,  can  it  be  designed  in  such  a  manner  that  it  can  be  expanded  to  model  the 
entire  steam  plant? 

Second,  can  such  a  model  be  constructed  using  qualitative  reasoning  such  that  it  is 
not  limited  by  parameters  and  features  specific  to  one  platform? 

Third,  must  a  model-based  expen  system  be  written  in  Lisp  or  one  of  the  other 
traditional  artificial  intelligence  languages,  or  can  it  be  written  in  a  general  purpose 
language  such  as  Ada? 

Fourth,  can  such  a  system  be  made  inexpensively  enough  to  make  it  an  attractive  and 
affordable  shipboard  tool? 
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BoiierModel  was  developed  as  part  of  this  thesis  to  answer  the  questions  posed.  It  is 
a  fairly  uncomplicated  qualitative  model-based  reasoning  system  whose  domain  is  the 
naval  propulsion  boiler.  It  is  implemented  in  Ada.  The  cause-effect  propagation  of  events 
in  the  model-based  paradigm  is  ideally  suited  for  physical  applications  such  as  steam 
generation  plants.  Model-based  systems  are  beneficial  in  education  and  training  because 
they  can  progress  through  events  causally  in  much  the  same  manner  as  students  learn.  They 
rely  on  how  components  work  and  how  they  are  interrelated.  Thus,  plant  scenarios  can  be 
generated  easily  by  students  and  abnormal  conditions  can  be  diagnosed  conHdently  by 
watchstanders. 

C.  THESIS  OUTLINE 

The  second  chapter  of  this  thesis  provides  the  reader  with  an  introduction  to  model- 
based  reasoning  and  the  differences  between  it  and  rule-based  inference.  The  third  chapter 
serves  as  a  literature  review  or  survey  of  related  work  in  the  fields  of  qualitative  physics 
and  model-based  reasoning.  The  fourth  chapter  introduces  the  model  domain  (the 
propulsion  boiler  system),  including  important  cause-effect  relationships.  The  fifth  chapter 
focuses  on  BoiierModel  as  an  Ada  implementation.  The  questions  posed  in  this 
introductory  chapter  will  be  answered  in  the  body  of  the  thesis;  synopses  of  the  answers 
will  be  provided  in  the  concluding  remarks  of  the  sixth  chapter. 
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n.  A  MODEL-BASED  REASONING  PRIMER 


Expert  systems  today  can  be  categorized  in  two  general  ways:  as  rule-based  systems 
or  as  model-based  systems.  Of  course,  designs  may  be  hybrids,  containing  elements  of 
both.  Rule-based  systems  consist  of  sets  of  known  facts  and  rules  in  the  problem  domain. 
These  elements  come  from  interviews  with  subject  matter  experts  and  donoain-speciEc 
technical  documentation.  An  irtference  engine,  some  sort  of  program  or  production 
language  uses  the  rules  and  facts  in  the  knowledge  base  to  reason  from  input.  Rule-based 
systems  are  wholly  dependent  on  the  facts  and  relationships  in  the  knowledge  base; 
therefore,  the  more  facts  and  rules,  (generally)  the  more  robust  the  expert  system.  Model- 
based  systems  approach  the  problem  from  a  different  tack.  This  chapter  will  examine  what 
model-based  reasoning  is,  how  it  works  and  what  utility  it  has  in  problem  solving 
situations. 

A.  REASONING  FROM  MODELS 

Model-based  expert  systems  have  been  written  in  many  languages  and  for  many 
different  architectures.  Knowledge  representation  also  differs  from  system  to  system  to 
suit  the  specifications  of  the  designers  and  the  needs  of  the  users.  However,  all  of  these 
systems  have  one  thing  in  common:  they  reason  from  some  sort  of  model  of  the  domain. 
While  a  rule-based  system  may  reason  exclusively  from  observed  values  to  facts  or  rules 
in  its  knowledge  base,  noodel-based  systems  reason  frt»n  **first  principles,”  rules  which 
describe  the  internal  processes  and  causal  relationships  between  components  in  the  domain. 
Since  first  principles  are  facts  about  objects  and  how  they  behave,  they  can  reason  from 
observed  values  to  real-world  states  simply  by  generating  different  system  states, 
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propagating  these  constraints  through  the  first  principles,  and  comparing  the  generated 
sensor  values  with  actual  observed  values. 

“The  essence  of  [the]  model-based  expert  system  approach  is  to  generate  a  model 
that  acts  as  close  to  the  real  world  as  possible  except  when  a  measurement  or 
component  fails.  . .  .When  the  real  world  begins  to  act  differently  from  the  model, 
we  detect  the  discrepancy  and  diagnose  the  change  using  the  model.”  (Fulton  and 
Pepc,  1990,  pp.  52-3) 

The  Rube  Goldberg  drawing  in  Figure  2.1  (Kinnaird,  1968,  p.  37)  lightheartedly 
shows  the  internal  states  and  cause-effect  relationships  required  to  build  a  better  mousetrap. 
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Figure  2.1 


The  heart  of  the  model  is  constraint  propagation,  which  is  to  the  model-based 
reasoning  system  what  the  inference  engine  is  to  the  rule-based  system.  Propagation  uses 
the  relationships  between  components  to  establish  a  chain  reaction  when  changes  are  made 
to  the  system.  Propagation  continues  to  occur  until  all  valid  relationships  have  been 
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explored.  For  example,  consider  the  simple  valve  and  piping  arrangement  in  Figure  2.2  and 
the  corresponding  valid  set  of  steam  pressure  propagation  relationships  in  Table  2.1 


Figure  2,2 
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VALVE  1  input  -  NORM 

VALVE  1  output  -  VALVE  1  input  (if  open)  / 

NONE  (if  shut) 

VALVE  2  Input -NORM 

VALVE  2  oi^ut  -  VALVE  2  input  (if  open)  / 

NONE  (if  shut) 

VALVE  3  input  -  greater  of  (VALVE  1  output, 

VALVE  2  output) 

VALVE  3  output  -  VALVE  3  input  (if  open)  / 

NONE  (if  shut) 

VALVE  4  input  -  greater  of  (VALVE  2  output, 

VALVE  3  output) 

VALVE  4  output «  VALVE  4  input  (if  open)  / 

NONE  (if  shut) 

VALVE  5  input  -  greater  of  (VALVE  1  output, 

VALVE3  output) 

VALVE  5  output  -  VALVE  5  input  (if  open)  / 

NONE  (K  shut) 

VALVE  6  input  -  VALVE  4  output 

VALVE  6  output  -  VALVE  6  in^  (if  open)  / 

NONE  (if  shut) 

VALVE  7  input  -  greater  of  (VALVE  5  output, 

VALVE  6  output) 

VALVE  7  output  -  VALVE  7  Input  (if  open)  / 

NONE  (if  shut) 

VALVE  8  input  -  greater  of  (VALVE  5  output, 

VALVE  7  output) 

VALVE  8  output  -  VALVE  8  input  (if  open)  / 

NONE  (if  shut) 

STEAM  SINK  A  value  -  greater  of  (VALVE  6  output, 

VALVE  7  output) 

STEAM  SINK  B  value  -  VALVE  8  output 


Table  2.1 


Reasoning  about  what  effect  shutting  VALVE  1,  VALVE  3,  and  VALVE  7  has  on 
the  values  of  STEAM  SINK  A  and  STEAM  SINK  B  would  simply  be  a  matter  of  changing 
the  status  of  those  valves  and  reevaluating  the  relationships. 

Note  also  that  the  rules,  although  specific  to  the  valves,  effectively  simulate  the 
function  of  the  piping  system.  Moreover,  die  entire  piping  system  is  modeled.  How  well 
a  model  simulates  real-world  connectivity,  of  course,  depends  on  its  applications.  In 
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general,  though,  the  more  representative  rules  are  of  the  relationships  between  components, 
the  more  robust  the  overall  model  will  be  and  the  more  diversified  its  potential  applications. 

Models  themselves  fall  into  two  broad  groups:  quantitative  and  qualitative. 
Quantitative  models  fall  outside  the  scope  of  this  research.  Briefly,  quantitative  models 
rely  on  mathematical  or  numerical  rules  and  relationships  to  predict  or  monitor  system 
functions. 

“A  mathematical  model  could  be  constructed  to  model  the  function  of  a 
grandfather  clock,  taking  into  account  the  oscillator  length,  gear  size,  and  so  on.  A 
numeric  model  could  pr^ct  the  position  of  the  hands  after  a  specific  time  interval.” 
(Fulton  and  Pepe,  1990,  p.  51) 

Qualitative  models,  on  the  other  hand,  describe  domain  components  “in  terms  of 
causal,  compositional  or  subtypical  relationships  among  objects  and  events."  (Clancey, 
1989,  p.  10)  There  are  several  variations  of  qualitative  models.  Class^cation  models 
categorize  observed  patterns  to  describe  processes.  The  process  descriptions  identify 
events  which  occur  over  time  and  in  diverse  locations.  Diagnosing  infectious  diseases  is 
one  example  of  the  use  of  classification  models.  Simulation  models  start  from  a  set  of 
initial  conditions  and  predict  how  the  systems  will  change  when  the  initial  conditions  are 
changed.  Functional  models  relate  system  behaviors  and  states  to  functional  goals. 
(Qancey,  1989,  p.  13)  White  and  Frederiksen  (1989)  discuss  phenomenological  and 
reductionist  models  (see  Chapter  in.C.l). 

B.  MODEL.BASED  vs.  RULE-BASED  SYSTEMS 

As  discussed  previously,  rule-based  systems  are  wholly  dependent  on  facts  and  rules 
in  their  knowledge  bases.  They  cannot,  in  and  of  themselves,  reason  from  cause  to  effect 
unless  the  canse  and  effect  happen  to  be  rules  accessible  to  the  inference  engine.  Model- 
based  sysfems  can  because  cause-effect  relationships  are  easily  and  naturally  modeled  as 
frrst  principles.  This  is  especially  inqxnrtant  in  applications  involving  physical  systems 
such  as  steam  generation  plants  and  electrical  distribution  systems.  “Rule-based  expert 
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systems  were  never  particularly  suited  to  industrial  monitoring  applications.”  (Fulton  and 
Pepe,  1990,  p.  48)  Reasons  for  this  fall  into  three  general  areas. 

1.  Sensor  Failure 

Control  personnel  in  real-world  industrial  systems  rely  on  infonnation  from 
sensors  to  formulate  decisions  or  perform  diagnostics.  A  rule-based  system  would  require 
a  set  of  rules  mapping  possible  sensor  readings  to  corresponding  plant  conditions.  A 
problem  arises  in  that  sensor  indicators  (such  as  thermometers,  pressure  gauges,  etc.)  can 
themselves  fail  on  occasion.  A  rule-based  system  would  then  be  required  to  have  in  its 
knowledge  base  a  set  of  rules  which  would  ascertain  for  any  sensor  reading  whether  or  not 
that  data  is  correct.  “According  to  current  estimates,  up  to  three-quarters  of  industrial 
expert  system  rules  do  nothing  more  than  verify  sensor  accuracy.”  (Fulton  and  Pepe,  1990, 
p.49). 

Model-based  systems,  on  the  other  hand,  have  only  as  many  component 
description  and  systems  interrelationships  as  are  necessary  to  define  the  domain.  Out-of¬ 
limits  sensor  readings  due  to  faulty  sensors  can  be  accurately  diagnosed  in  exactly  the  same 
manner  as  out-of-limits  readings  due  to  plant  malfunction:  components  upstream  of  the 
sensor  in  the  model  are  failed  in  various  combinations  until  a  match  between  noodel  sensor 
values  and  real-world  sensor  values  is  obtained.  If  the  only  match(es)  between  model  and 
actual  system  contain  contradictory  component  state  infonnation,  then  the  sensor  must  be 
faulty  (because  it  is  assumed  that  the  real-world  system  has  been  accurately  and  completely 
modeled).  In  the  simple  valve  and  piping  example  introduced  previously,  if  the  sensor  for 
STEAM  SINK  A  indicates  a  value  of  NONE,  the  expen  system  would  only  be  able  to 
propagate  to  that  result  if  certain  combinations  of  valves  were  shut  The  set  of  such 
combinations  is  finite,  and  if  no  element  of  that  set  matches  the  known  valve  line-up,  then 
the  sensOT  is  determined  to  be  faulty  and  in  need  of  recalibration  or  replacement 
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2.  Number  of  Rules 


The  sheer  number  of  rules  needed  to  correctly  predict  plant  performance  or 
diagnose  faults  in  systems  of  even  moderate  size  is  enormous.  Consider  again  the  valve 
and  piping  example.  Given  eight  valves,  each  having  a  status  of  either  open  or  shut,  and  a 
constant  value  coming  from  the  STEAM  SOURCE,  a  rule-based  system  could  require  up 
to  256  rules  of  the  form  in  Figure  2.3. 


K  VALVE  1  is  OPEN  and  VALVE  2  is  OPEN  and 
VALVE  3  is  SHUT  and  VALVE  4  is  OPEN  and 
VALVE  5  is  OPEN  and  VALVE  6  is  SHUT  and 
VALVE  7  is  OPEN  and  VALVE  8  is  OPEN  then 

STEAM  SINK  A  is  NORM 
STEAM  SINK  B  is  NORM 


Figure  23 


This  plethora  of  rules  presents  four  problems  which  are  resolved  when  model- 
based  systems  are  used.  First,  as  the  number  of  rules/facts  increases,  the  chances  of 
implementing  an  exhaustive  rule  base  decreases.  “A  traditional  expert  system  relies  on 
expert  experience  likely  to  be  deepest  concerning  common  failures;  the  uncommon  failure 
is  doomed  to  obscurity  and  may  not  be  propo’ly  diagnosed.”  (Fulton  and  Pepe,  1990,  p.  55) 
During  the  interview  process,  the  expert  may  not  remember  ot  even  be  familiar  with 
obscure  casualty  situations  which  may  occur.  The  completeness  and  accuracy  of  the  rule- 
based  system  is  very  dependent  on  the  experience  of  the  experts  and  the  questions  posed  by 
the  designers.  Since  the  model-based  approach  is  founded  on  first  principles  which 
describe  component  behavior  and  are  essentially  independent  of  expert  experience,  this 
problem  is  obviated.  Large  components  can  be  broken  down  into  smaller  actual  or  virtual 
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components  to  the  point  where  cause-effect  relationships  are  manageable,  accurate,  and  as 
complete  as  necessary. 

Second,  in  a  large  rule-base  there  may  exist  some  rules  which  contradict  each 
other,  or  in  concert  with  each  other  produce  inaccurate  results.  There  may  also  be  rules 
which  are  just  not  correct.  “As  the  number  of  objects  in  the  system  increases,  it  becomes 
very  difficult  for  the  expert  to  predict  accurately  what  state  each  sensor  will  be  in  for  each 
possible  failure.”  (Fulton  and  Pepe,  1990,  p.  49)  Moreover,  determining  which  rules  failed 
in  a  particular  situation  can  be  very  difficult  because  there  is  no  necessary  link  between 
inter-  Antra-component  behavior  and  knowledge  base  elements.  A  model-based  system’s 
network  of  behaviors,  because  it  focuses  first  on  component  or  subcomponent  behavior  and 
then  on  relationships,  does  not  grow  increasingly  more  complex  as  the  modeled  system 
grows  (although  the  number  of  components  and  inter-component  relationships  that  must  be 
modeled  does  grow).  Additionally,  pinpointing  faulty  device  behaviors  or  relationships  is 
as  simple  as  tracing  through  the  state  tables  for  a  device  as  values  propagate.  Determining 
where  emurs  existed  in  this  project  was  never  a  problem;  fixing  them,  of  course,  was  a 
different  story. 

Third,  a  large  rule  base  is  expensive  in  terms  of  time  spent  in  development 
Since  such  a  system  would  require  extensive  contact  between  design  personnel  and  subject 
matter  experts,  there  would  exist  a  large  period  of  time  in  which  the  expert  system  was  in 
production.  Additionally,  as  the  real-world  system  changes,  experts  (who  do  not  work  for 
free)  would  have  to  be  consulted  for  modifications  to  the  rule  base.  Although  some  time 
lag  between  conception  and  implementation  would  also  exist  for  a  model-based  system, 
picking  the  brains  of  experts  for  facts  or  rules  to  support  all  contingencies  is  unnecessary. 
Only  when  new  components  (which  have  not  been  previously  modeled)  are  added  will 
there  be  a  substantial  time  drain.  “Since  rules  are  not  created ...  the  component  knowledge 
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base  simply  is  modified  to  reflect  the  changes,  [and]  a  task  is  no  more  difficult  than  altering 
a  set  of  schematics.”  (Fulton  and  Pepc,  1990,  p.  55) 

Fourth,  the  addition  of  new  components  in  rule-based  systems  increases 
exponentially  the  number  of  new  rules  needed.  In  the  now  familiar  valve  and  piping 
example,  adding  a  ninth  valve  would  increase  the  exhaustive  rule  set  from  256  to  512  (or 

2^)  if  a  rule-based  system  were  used.  Changes  to  a  model-based  system  would  be  limited 
to  information  about  that  valve’s  input  and  output  and  changes  to  the  valves  immediately 
upstream  and  downstream  of  it  (effectively  re-linking  the  system). 

3.  Human  Expert 

Model-based  systems  more  closely  simulate  how  human  experts  diagnose 
faults  or  predict  system  behavior.  When  there  is  incomplete  or  conflicting  information 
available,  human  experts  rely  on  what  data  is  available  and  formulate  hypotheses  upon 
which  future  actions  (repair  woik,  casualty  control  measures,  etc.)  are  based. 

“Generating  rules  to  compensate  for  even  a  subset  of  the  possible  partial  data 
situations  is  an  onerous  task  ^at  catastrophically  increases  the  required  number  of 
rules.  It  is  highly  improbable  such  an  effort  will  ever  provide  complete  scenario 
coverage.”  (Fulton  and  Pepe,  1990,  p.  49) 

Model-based  reasoning  closely  approximates  the  cause-effect  reasoning 
mechanism  employed  in  human  learning.  The  study  of  mathematics  and  science  is  firaught 
with  facts  and  figures  which  are  used  in  problem  solving  (a  cause-effect  exercise).  The 
non-quandtative  world  is  also  understood  analytically.  A  foreigner  unfamiliar  with 
baseball  will  learn  the  game  more  quickly  by  watching  (and  doing)  than  by  just  memorizing 
facts  and  rules. 

C.  UTILITY  OF  MODEL-BASED  SYSTEMS 

Model-based  systems  are  ideally  suited  for  industrial,  system  oriented  applications 
such  as  electrical  circuitry  training  and  steam  plant  monitoring.  In  applications  such  as 
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these,  model-based  systems  can  be  conceptually  true  to  real-world  configurations  without 
causing  immense  complications  during  real-world  modifications.  Model-based  systems 
are  well  suited  for  use  in  the  realm  of  training  and  education.  ‘‘When  novices 
spontaneously  attempt  to  understand  how  physical  systems  work,  they  use  constructs  such 
as  ‘causality,’  ‘mechanism,’  and  ‘purpose’.”  (White  and  Frederiksen,  1989,  p.  84)  Models 
are  also  well  suited  for  fault  diagnosis;  artificially  “failing”  components  and  propagating 
the  new  values  in  order  to  match  the  abnormal  real-world  status  can  be  done  quickly  and 
will  exhaust  all  casualty  conditions  in  a  well-modeled  system. 

Model-based  expert  systems  are  not  well  suited  for  domains  in  which  a  complete  and 
accurate  model  cannot  be  created.  Poor  quality  cause-effect  relationships  result  in  poor 
quality  diagnoses  and  predictions  which  may  endanger  life  and  equipment.  Model-based 
systems  also  require  real-world  sensors  to  provide  enough  information  for  reasonably 
accurate  diagnoses.  If  such  sensors  are  missing  and  cannot  be  installed,  only  partially 
accurate  and  downright  useless  conclusions  will  be  formulated  by  the  expert  system,  and  a 
rule-based  system  may  be  the  best  bet 
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ni.  LITERATURE  REVIEW 


A.  INTRODUCTION 

Qualitative  model-based  reasoning  systems  have  their  foundations  in  the  qualitative 
physic s/commonsense  reasoning  pioneered  in  the  late  1970’s  and  early  1980’s  by  de  Kleer, 
Brown,  andForbus  (Iwasaki,  1989).  Reasoning  systems  based  on  cause-effect  relationships 
were  developed  during  the  same  period,  and  some  systems  have  evolved  beyond  the 
drawing  board  and  are  in  use  today.  The  end  use  of  model-based  reasoning  systems  to  date 
have  been  in  the  areas  of  intelligent  tutoring  systems  and  fault  diagnosis.  Several  systems 
ranging  from  the  pragmatically  spartan  to  the  graphically  complex  will  be  examined  here. 

B.  QUALITATIVE  PHYSICS  FOUNDATIONS 

Three  distinct  yet  complementary  ways  of  qualitatively  explaining  the  effects  of 
physical  laws  on  systems  and  devices  were  developed  in  the  late  1970’s  and  early-to-mid 
1980’s.  They  focused  on  devices  themselves  (ENVISION),  processes  between  devices 
(Qualitative  Process  Theory),  and  system  behavior  (QSIM).  Additionally,  World 
Qualitative  Modeling  System  (WQMS),  published  in  1990,  uses  elements  of  all  three 
camps.  The  four  systems  will  be  discussed  in  section. 

1.  ENVISION 

ENVISION  was  developed  by  de  Kleer  and  Brown  at  the  Xerox  Palo  Alto 
Research  Center  (Iwasaki,  1989).  It  takes  a  device  or  component  centered  view  of  a  system; 
the  system  as  an  entity  consists  as  an  integration  of  many  thoroughly  specified  and 
described  component  parts.  Of  primary  concern  are  the  individual  devices  and  their 
interconnections.  To  this  end,  the  devices  have  to  be  isolated  and  their  functions  carefully 
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defined  to  infer  nothing  about  the  woiidngs  of  the  system  in  which  they  are  located.  These 
two  considerations  are  more  formally  known  as  th*  Locality  Principle  and  the  No-function- 
in-structuie  Principle.  Although  it  is  impossible  to  adhere  strictly  to  these  principles  when 
describing  a  component,  they  serve  as  ideals  toward  which  the  description  should  be  aimed 
(Iwasaki,  1989,  p.  363). 

The  connections  between  devices,  called  conduits,  are  assumed  to  transmit 
information  instantaneously  and  equally  when  there  are  multiple  conduits  between 
components. 

Device  behavior  is  divided  into  inter-state  and  intra- state  behaviors  and  is 
predicted  using  the  qualitative  functions  (equations)  in  the  definition  of  the  device. 
Prediction  is  based  on  propagating  known  values  through  the  equations  of  the  device, 
producing  both  a  logical  cause/effect  link  and  new  facts.  Once  the  intra-state  behavior  of 
the  device  has  been  determined,  all  possible  future  states  of  that  device  can  be  taken  from 
a  table  that  is  indexed  by  the  values  of  state  variables  and  contains  all  legal  states  for  that 
device.  Prediction  of  system  behavior,  then,  is  an  exercise  in  determining  all  logical 
transitions  between  the  possible  future  states  along  conduits. 

2.  QPT 

Qualitative  Process  Theory  (QPT)  was  developed  in  1982  by  Forbus  at 
Massachusetts  Institute  of  Technology  (Iwasaki,  1989).  His  (^alitative  Process  Engine 
uses  information  about  objects  and  processes  to  reason  about  which  processes  will  occur, 
what  they  will  affect  in  the  system,  and  when  they  will  stop  (Iwasaki,  1989,  p.  371). 
Physical  systems  are  represented  as  objects  which  have  certain  defined  interrelationships 
and  processes  which  are  the  sole  means  of  changing  state  in  the  system.  Examples  of 
processes  in  QPT  are  heat  flow,  boiling,  and  evaporation. 


15 


Individual  views  in  QPT  are  “views  of  objects  that  focus  on  the  enabling 
conditions  of  their  behavioral  characteristics”  (Iwasaki,  1989,  p.  372).  For  example,  water 
in  a  boiler  and  water  flowing  through  a  nozzle  would  have  different  individual  views 
because  the  same  object,  water,  behaves  differently  in  the  two  situations.  Individual  views 
have  four  parts: 

(1)  the  individual  obiect(s)  involved; 

(2)  the  qnanritv  condition,  which  is  a  statement  defining  quantities  of  individuals, 
generally  with  respect  to  each  other, 

preconditions,  which  are  conditions  other  than  quantity  conditions  which  must 
hold  true  for  the  individual  view  to  be  valid.  For  example,  in  order  for  a  container  to  hold 
a  liquid,  the  container  must  be  capable  of  holding  a  liquid  (Iwasaki,  1989,  p.  373); 

(4)  telarions.  which  are  further  truths  regarding  attributes  of  the  individual(s).  For 
example,  the  individual  view  of  water  in  a  nozzle  would  have  a  relationship  (mass  flow 
rate,  or  m)  between  the  specific  density  of  the  water  (p),  its  velocity  (v),  and  the  cross- 
sectional  area  of  the  nozzle  (A  ): 

m  =  pxAxv  (eq3.1) 

Processes  must  include  the  individuals  necessary  for  the  process  to  be 
activated,  what  events/ciicumstances  will  trigger  the  process,  and  what  changes  will  be 
brought  about  when  a  process  has  been  run. 

Behavior  of  a  system  based  on  a  given  set  of  objects  andliieindatioaships  can 
be  predicted.  Individual  views  are  created  and  relevant  processes  are  activated.  Rttcesses 
can  then  start  and  stop,  creating  new  individual  views  and  removing  antiquated  ones.  Tue 
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Qualitative  Process  Engine  “detects  the  processes  that  must  take  place  in  a  given  situation 
and  predicts  their  course.”  (Iwasaki,  1989,  p.  381)  This  sequence  of  events  involving 
processes  and  individual  views  which  describes  a  possible  direction  in  which  the  system 
may  move  is  referred  to  as  a  history. 

3.  QSIM 

Qualitative  simulation  (QSIM)  was  developed  by  Kuipers  in  1985  (Iwasaki, 
1989).  QSIM  takes  a  device,  functions  that  describe  the  behavior  of  that  device,  and  initial 
state  facts  and  produces  future  states  into  which  the  device  may  transition  based  on  the 
given  information.  “Given  an  initial  qualitative  state  for  each  functicn,  QSIM  first 
generates  all  possible  successor  states  for  each  function.”(Iwasaki,  1989,  p.  382)  QSIM 
conducts  a  breadth-first  generation  of  potential  future  states,  Hltering  out  those  that  are 
either  redundant  or  inconsistent  with  the  given  facts. 

The  qualitative  state  of  a  function  (behavior)  is  defined  as  a  pair  consisting  of 
a  qualitative  value  of  the  function  and  its  direction  of  change  (essentially  the  first  derivative 
of  the  function  with  respect  to  time).  Once  a  layer  of  possible  future  states  of  a  device  is 
generated,  qualitative  constraints  can  discriminate  between  valid  and  invalid  states  by 
restricting  the  range  of  qualitative  values  of  a  function  and  by  limiting  or  forcing  direction 
of  change  (Iwasaki,  1989,  p.  386).  Qualitative  constraints  are  predicates  which  express 
some  type  of  qualitative  relationship  among  functions  and  can  thus  act  as  mechanisms  to 
exclude  impossible  or  contradictory  states.  Similarly,  the  qualitative  constraint  predicates 
act  to  eliminate  illogical  directions  of  change.  Consider  the  constraint  pr.  dicate  ADD(f,g,h) 
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where  f(t)  +  g(t)  =  h(t).  Figure  3.1  (Iwasaki,  1989,  p.  387)  lists  the  possible  valid  directions 
of  change  and  excludes  those  which  would  invalidate  the  predicate: 
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Figure  3.1 


The  use  of  qualitative  constraints  applied  to  both  elements  of  the  qualitative 
state  pair  has  the  potential  to  reduce  substantially  the  list  of  future  states  for  a  device. 

4.  WQMS 

World  Qualitative  Modeling  System  (WQMS)  was  developed  in  1990  by 
Gaglio,  Giacomini,  Ponassi,  and  Ruggiero  (Gaglio,  et  al.,  1990).  WQMS  (1)  models  its 
domain  using  Forbus’  QPT  principles,  (2)  provides  an  interface  for  the  user  to  input  values 
and  write  results  to  a  file,  (3)  provides  a  shell  from  which  various  active  system  views  are 
processed,  and  (4)  uses  and  Envision  (ENV)  simulator  as  well  as  QSIM  simulator  to  move 
through  the  network  of  possible  system  states.  The  difference  between  the  two  is  that  ENV 
implements  a  depth-first  search  while  QSIM  uses  a  breadth-first  search.  Thus,  ENV 
sacrifices  the  thorough  examination  of  successive  states  provided  by  QSIM,  but  does  not 
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get  bogged  down  computationally  when  used  for  complex  systems.  The  user  is  given  the 
option  of  choosing  between  the  two  simulators  at  the  beginning  of  a  session. 

WQMS  was  written  in  the  production  language  OPS5  for  the  following 
reasons:  First,  production  rules  have  the  same  conceptual  structure  as  processes  and 
individual  views.  Second,  the  inference  engine  of  OPSS  can  be  used.  Third,  the  efficiency 
of  implementation  is  increased  through  the  use  of  a  rete  matching  algorithm,  which 
provides  several  views  or  processes  which  satisfy  the  same  conditions.  “An  important 
feature  of  OPSS  is  its  efficiency,  due  to  the  way  in  which  rules  are  grouped  in  the  conflict 
set  by  the  rete  match  algorithm.”  (Gaglio,  et  al.,  1990,  p.  42)  The  rete  match  algorithm 
matches  database  elements  against  rules  rather  than  rules  against  elements,  making  it  easier 
to  keep  track  of  which  rules  apply  and  which  do  not  when  a  database  element  is  changed. 

Individual  views  “represent  a  static  situation  in  the  evolution  of  a 
phenomenon.”  (Gaglio,  et  al.,  1990,  p.  43)  In  other  words,  they  represent  the  things  which 
are  true  when  the  system  is  in  a  particular  state.  Views  and  processes  appear  to  be  easily 
written  in  OPSS  aod  can  also  be  coded  somewhat  genetically.  For  example,  the  view  which 
describes  the  heating  process  for  water  can  also  describe  the  heating  process  for  steam. 

Working  memory  initially  contains  the  facts  input  by  the  user.  Since  each 
individual  view  corresponds  to  a  rule,  if  the  facts  in  the  working  memory  support  all  the 
criteria  of  a  view,  one  is  created  by  the  firing  of  a  rule.  Likewise,  processes  are  activated 
when  all  the  conditions  for  the  process  are  true. 

Two  biological  systems,  cell  growth  and  blood  glucose  dynamics,  have  been 
modeled  using  WQMS. 
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C.  MODEL-BASED  REASONING  IN  EDUCATION  AND  TRAINING 


1.  Model  Development 

A  fundamental  problem  for  students  beginning  the  study  of  physics  or 
advanced  applied  mathematics  is  a  lack  of  conceptualization  abilities  and  an  unhealthy 
reliance  on  formulaic  solutions.  Research  by  White  and  Frederiksen  (White  and 
Frederiksen,  1989)  contends  that  since  traditional  teaching  relies  on  the  use  of  quantitative 
laws  in  problem  solving,  and  algebraic  reasoning  is  substituted  for  underlying  causal 
effects,  there  is  a  lack  of  connection  between  a  student’s  instinctive  notions  of  causality  and 
the  quantitative  reasoning  employed  by  textbooks  and  instructors. 

White  and  Frederiksen  employ  the  concept  of  an  articulate  microworld  which 
combines  qualitative  modeling  of  electrical  circuit  behavior  within  the  framework  of  an 
intelligent  tutoring  system  (White  and  Frederiksen,  1989,  p.  85).  It  is  the  primary  vehicle 
in  solving  problems  where  the  student  is  required  to  formulate  mental  models  to  understand 
domain  phenomena  and  to  solve  problems.  Models  of  system  behavior  progress  from 
broadly  qualitative  and  analogous  to  quantitative  based  on  the  student’s  progress  and 
success  in  mastering  the  concepts  and  system  generated  test  problems  of  lower  level 
models. 

White  and  Frederiksen  discuss  two  distinctive  types  of  qualitative  models: 
phenomenological  models  and  reductionist  models.  Their  phenomenological  models  create 
systems  that  reason  about  gross  circuit  behavior.  The  first  of  these  models  adopted  a 
“device-centered”  view  of  causality  (see  ENVISION).  System  changes  are  reasoned  from 
the  perspective  of  individual  components.  Hie  major  drawback  of  the  device-centered 
model  is  that  it  does  not  readily  and  intuitively  model  important  laws  that  govem  circuit 
behavior  (such  as  Ohm’s  Law  or  Kirchoffs  Current  and  Voltage  Laws),  ^noe  Ac  system 
leasmis  in  a  component-by-component  fashion,  the  overall  electrical  process  is  not  clearly 


20 


seen.  This  is  not  necessarily  a  bad  thing  when  this  model  is  viewed  from  the  perspective  of 
a  new  student  thoroughly  unfamiliar  with  electrical  theory.  However,  since  the  spirit  of  the 
articulate  microworld  is  to  have  different  models  for  different  levels  of  comprehension, 
other  model  methodologies  must  be  used. 

A  “process-centered”  phenomenological  model  was  developed  to  describe  the 
effects  that  system  changes  have  on  the  system  as  a  whole.  A  change  in  state  of  a 
component  initiates  a  process  in  which  all  other  devices  within  the  affected  part  of  the 
system  ask  whether  or  not  they  are  affected  by  the  change.  If  so,  they  alter  their  states 
appropriately.  While  the  process-centered  model  shifts  the  focus  from  the  component  to  the 
system  as  a  whole,  it  still  only  describes  (as  opposed  to  explains)  physical  laws. 

Reductionist  models  attempt  to  explain  how  changes  is  a  system  occur.  These 
models  split  a  system  or  component  up  into  small,  easy  to  understand  parts  and  analyze  the 
effects  of  a  system  change  to  the  relationships  between  the  parts.  By  reducing  a  device  to 
smaller  and  smaller  components,  a  more  continuous  cause/effect  “chain"  can  be  developed 
to  explain  why  laws  work  as  they  do.  Of  course,  care  must  be  taken  in  deciding  how  far  to 
reduce  a  device;  the  advantages  of  qualitative  explanations  lie  in  their  relative  simplicity. 

Phenomenological,  reductionist,  and  quantitative  models  work  together  in 
what  White  and  Fredeiiksen  describe  as  model  evolution.  “The  evolution  of  knowledge  can 
be  captured  as  a  progression  of  increasingly  sophisticated  causal  models  that  are  qualitative 
early  on  but  that  can  later  be  mapped  into  quantitative  models  as  students’  understanding 
progresses.”(White  and  Frederiksen,  1989,  p.  94).  They  appear  to  fit  very  well  with  the 
notion  of  an  adaptive  cognitive  model  in  the  intelligent  tutoring  system  field  because  they 
can  be  ordered  into  a  hierarchy  resembling  how  human  beings  learn  things. 
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2.  STEAMER 


The  STEAMER  project  was  initiated  in  1979  and  developed  through  1984  by 
HoUan  in  collaboration  with  several  others,  principally  Hutchins  and  Weitzman  (Hollan,  et 
al.,  1984).  The  domain  of  STEAMER  is  a  Navy  steam  propulsion  plant  and  its  goal  is  to 
explore  the  use  of  artificial  intelligence  software  and  hardware  in  computer  aided 
instruction  (CAI).  It  is  written  in  LISP. 

Central  to  the  development  of  STEAMER  is  the  idea  of  mental  models,  the 
models  people  use  to  think  about  complex  systems.  “Without  richer  and  more  detailed 
understandings  of  the  nature  of  these  moctels,  instructional  applications  will  be  severely 
limited.”  (Hollan,  et  al.,  1984,  p.  15)  Graphical  interface  is  very  important  because  the 
variations  of  how  system  interactions  are  presented  are  also  variations  on  the  level  and 
direction  of  instruction.  STEAMER  presents  an  interactive,  inspectable  simulation;  the 
user  is  permitted  and  encouraged  to  explore  and  inspect  how  system  functions  perform. 
“Interactive  inspectable  simulations  have  the  potential  of  being  major  mechanisms  for 
supporting  the  development  of  understandings  of  process.**  (Hollan,  et.  al.,  1984,  p.  15). 

The  domain  area  was  chosen  because  the  designers  had  access  to  a  detailed 
mathematical  simulation  model  of  a  1200  psi  steam  plant  It  is  not  strictly  a  qualitative 
model,  but  a  quantitative  one  which  presents  information  qualitatively.  Another  not 
insignificant  factor  in  domain  choice  was  “the  potential  for  adequate  research  funding.” 
(Hollan,  et  al.,  1984,  p.  17)  Moreover,  a  simulation  restricted  to  user  interaction  via  a 
keyboard,  monitor  and  other  peripherals  is  more  cost  effective  than  alternative  plant 
simulations,  which  may  cost  as  much  as  $7  millitm  (Hollan,  et  al.,  1984,  p.  17). 

STEAMER  uses  dynamic  interactive  graphics  as  display  engines  which  can 
represent  the  plant  as  the  user  would  see  it  onboard  a  ship  or  as  an  expett  wonld  explain 
certain  complex  relationships  (such  as  changes  in  a  pneumatic  control  loop).  The  user  has 
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the  ability  to  alter  plant  parameters  either  by  manipulating  the  devices  that  affect  those 
parameters  or  by  changing  the  parameters  directly.  Either  approach  allows  the  user  to 
observe  the  effect  that  his  or  her  change  has  on  the  plant. 

A  graphical  editor  allows  a  user  to  put  “pieces”  of  a  plant  together.  As  these 
pieces  are  connected,  LISP  code  is  created  for  the  new  system.  “In  a  number  of  tryouts  of 
STEAMER  in  Navy  schools,  we  have  found  that  a  short  period  of  training  is  all  that  is 
required  for  instructors  to  begin  to  use  the  editor  productively.”  (Hollan,  et.  al.,  1984,  p. 
23). 

The  project  developers  contend  that  the  difference  between  STEAMER  and 
other  AI  efforts  centers  around  its  deep  commitment  to  graphics  in  both  the  presentation 
and  the  editing.  That  may  have  been  true  in  1984;  however,  it  needs  to  be  reexamined 
today.  The  developers  also  contend  that  STEAMER-like  systems  provide  a  “qualitatively 
different  and  superior  form  of  training.”  (Hollan,  et  al.,  1984,  p.  26)  It  does  employ  model- 
based  reasoning,  but  its  foundations  are  quantitative.  The  display  engines  provide 
reasonable  methods  of  extracting  qualitative  information  from  the  quantitative  data. 

3.  Intelligent  Maintenance  Training  System  (IMTS) 

The  Intelligent  Maintenance  Training  System  was  developed  by  the 
Behavioral  Technology  Laborator’.es  at  the  University  of  Southern  California,  funded  in 
part  by  the  Office  of  Naval  Research  (Towne,  et  al.,  1990).  It  is  an  interactive  graphical 
simulation  that  allows  the  user  to  build  a  system  using  a  sort  of  graphical  tool  box.  The  user 
can  then  specify  behavioral  rules  for  each  component  in  the  new  system.  IMTS  is 
implemented  in  Lisp. 

IMTS  simulations  are  built  from  generic  objects  contained  in  an  object  library. 
There  are  currently  about  ISO  objects  in  the  library.  Scenes,  which  are  screen-sized 
subsections  of  the  simulation,  are  built  from  objects  using  the  screen  editor.  When  objects 
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are  connected,  basic  rules  regarding  the  interconnection  are  automatically  generated. 
Generic  objects  come  pre-coded  with  behavioral  rules  indexed  by  the  possible  states  for  the 
object.  Each  state  has  certain  conditions  which  must  be  true  for  the  state  to  be  true,  and 
certain  effects  which  happen  as  a  result  of  being  in  that  state. 

A  user  can  create  objects  using  a  generic  object  authoring  utility.  After  the 
object  is  drawn  in  its  various  states  using  conventional  computer  graphics,  a  rule  definition 
must  be  specified.  As  in  the  generic  objects,  the  rules  must  spell  out  conditions  for  each 
state  and  the  effects  each  state  propagates.  Rule  definitions  can  only  be  in  terms  of  object 
input  and  output  points  (called  ports)  for  both  generic  and  created  objects. 

An  important  note  is  that  scenes  will  not  always  act  the  way  they  are  supposed 
to  when  first  constructed.  Common  errors  include  unconnected  ports  in  generic  objects  and 
inaccurate  or  incomplete  rule  definitions  for  created  objects.  IMTS  is  a  simulation 
authoring  system;  it  cannot  incorporate  first  principles  for  speciflc  systems  (e.g.,  IMTS 
cannot  assume  that  the  output  of  Pump  *A’  is  die  input  for  Valve  because  ‘A’  and  ‘B’ 
may  not  exist  together  in  any  random  system)  (Towne,  et.  al.,  1990,  p.  38). 

Simuladons  of  varying  levels  of  complexity  can  be  created  in  IMTS.  Simple 
models  that  mask  system  details  can  be  developed  for  novices  and  more  detailed  (and  more 
accurate)  scenes  can  hone  skills  of  advanced  students.  IMTS  has  never  claimed  to  be  a 
useful  diagnostic  authoring  system.  However,  since  the  accuracy  of  any  system  is  entirely 
dependent  on  the  system  author,  there  is  no  reason  why  a  highly  detailed  and  accurate 
model  cannot  be  used  (in  conjunction  with  diagnostic  code)  to  help  pinpoint  problem  areas. 

As  of  April  1990  there  have  been  1 1  different  simulations  built  in  IMTS.  One 
very  large  one  called  Bladefold  represents  the  mechanical,  electrical  and  hydraulic 
processes  for  folding  a  helicopter’s  main  rotor  blades.  It  consists  of  14  scenes  containing 
3(X)4-  specific  objects  and  has  provided  a  realistic  training  environment  for  advanced 
students  (Towne,  et  al.,  1990,  p.  40). 
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The  major  drawback  of  IMTS  is  its  implementation.  In  order  to  reduce  the 
most  complex  simulation  in  Bladefold  from  four  minutes  to  15  seconds,  IMTS  was  recoded 
using  machine-dependent  direct-addressing  techniques.  As  a  result,  the  current  version  of 
IMTS  can  only  run  in  the  Xerox  Interlisp  Environment.  Effective  training  in  IMTS,  then, 
can  only  be  accomplished  with  heavy  investment  in  a  machine  that  is  fast  becoming 
archaic. 

4.  GTS 

Generic  Training  System  (GTS)  was  developed  by  Inui,  Miyasaka, 
Kawamura,  and  Bourne  (Inui,  et  al.,  1989).  Its  goal  is  to  effectively  use  aniHcial 
intelligence  technology  and  qualitative  reasoning  techniques  to  build  an  individualized 
intelligent  tutoring  system.  (Inui,  et.  al.,  1989,  p.  59)  It  is  written  in  a  variety  of  languages: 
Franz  Lisp,  OPS5,  PEARL  (Package  for  Efficient  Access  to  Representations  in  Lisp)  and 
Flavors.  GTS  combines  knowledge  representation  schemes  used  in  heuristic  (rule-based) 
systems  and  qualitative  models  to  offer  a  more  robust  training  platform  than  traditional 
computer  aided  instruction  systems. 

Knowledge  representation  in  qualitative  simulation  is  implemented  using  the 
object-oriented  features  of  the  Flavcns  package.  Constraints  among  objects  are  encoded  as 
methods  and  are  imbedded  in  the  object  descriptions  (Inui,  et.  al.,  1989,  p.  63).  Since  the 
GTS  project  model  is  a  power  distribution  system  (PDS)  containing  many  individual 
components,  the  device-centered  approach  proposed  by  de  Klcer  and  Brown  in  ENVISION 
(called  Device-Centered  Ontology  in  GTS)  was  used  as  the  model  design  strategy. 

Objects  are  fitted  into  a  hierarchy  which  uses  the  inheritance  principles  of 
Flavors.  All  objects  in  the  PDS  domain  are  subclasses  of  the  basic  switch.  The  design  of 
this  hierarchy,  however,  is  not  top-down  but  bottom-up.  Each  device  is  identified  (such  as 
transformers  or  disconnect  switches)  and  common  attributes  of  devices  are  used  to  create 
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or  abstract  superclasses.  The  abstraction  continues  until  an  indecomposable  superclass,  the 
switch,  is  formed.  It  is  the  most  abstract  object  and  contains  all  the  “common”  feature  of 
all  subclasses  (Inui,  et.  al.,  1989,  p.  63). 

The  qualitative  model  is  integrated  into  the  ITS  framework  through  the  Model 
Based  Tutor.  It  was  originally  thought  that  a  student  would  need  textual  based  instruction 
(fixtm  the  Text  Based  Tutor  layer)  before  model-based  instruction  could  be  used.  However, 
system  tests  showed  that  the  graphic  displays  and  other  model-based  features  variably 
mixed  with  text  presentation  offered  the  best  results.  The  mix  can  vary  from  primarily  text- 
based  for  entry  level  students  to  primarily  model-based  to  offer  more  insightful 
explanations  of  difficult  concepts  for  advanced  students. 

GTS  is  genetic  enough  in  principle  to  be  used  in  a  wide  variety  of  intelligent 
tutoring  domains.  Since  it  relies  heavily  on  model-based  reasoning  concepts,  the  domain 
should  be  one  which  is  adaptive  to  those  concepts.  The  power  distribution  prototype  that 
developed  as  GTS  developed  has  been  expanded  into  a  Power  Distribution  Training 
System  currently  in  use  at  the  Osaka  Gas  Training  Center. 

D.  MODEL-BASED  REASONING  IN  DIAGNOSTICS 

1.  ODS 

Ontological  Diagnostic  System  (ODS),  written  in  LISP  in  1989  by  Gallanti, 
Stefanini,  and  Tomada  (Gallanti,  et  al.,  1989)  relies  on  knowledge  of  formal  design 
principles  and  an  understanding  of  physical  laws  behind  system  operation  to  diagnose 
malfunctions,  like  most  model-based  systems,  the  goal  of  ODS  is  to  provide  a  deep 
knowledge  network  instead  of  a  shallow  knowledge  base  found  in  rule-based  expert 
systems.  However,  unlike  other  model-based  systems,  ODS  does  not  determine  faults  by 
failing  likely  ctmiponents,  allowing  their  new  values  to  propagate  through  the  model  and 
then  compare  the  new  model  values  with  the  observed  system  values.  Instead,  ODS  uses 
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models  of  the  faulty  behavior  of  devices  to  determine  faults.  The  claim  of  ODS  designers 
is  that  using  these  faulty  models  reduces  the  complexity  of  fault  diagnosis,  thereby  making 
the  whole  process  more  effective  and  practical  (Gallanti,  et  al.,  1989,  p.  143). 

When  a  measurement  value  from  an  actual  system  sensor  fails  to  meet 
established  constraint  values,  the  ODS  diagnostic  process  is  initiated.  Discrimination 
among  all  possible  causes  of  the  malfunction  is  effected  by  propagating  the  corresponding 
malfunction  models  through  the  qualitative  constraints  and  comparing  the  computed  results 
with  observed  values. 

The  center  of  the  diagnostic  process  is  an  algorithm  which  uses  qualitative 
constraints  as  benchmarks  with  which  it  compares  faulty-model  generated  values.  The 
diagnostic  machine  considers  the  system  input  variables,  design  parameters  affected  by  the 
malfunction,  and  other  non-affected  design  parameters. 

ODS  designers  claim  superior  performance  when  compared  to  an  expert 
system  based  on  empiric  knowledge  of  the  same  domain  (in  the  test  case,  a  steam 
condenser).  The  better  performance  is  due,  in  part,  to  the  fact  that  the  rule  based  system 
relied  only  on  knowledge  available  in  the  plant  control  room  while  ODS  fault  models 
utilized  parameters  which,  while  not  directly  measurable,  can  affect  plant  operation  (such 
as  head  loss  through  a  section  of  piping).  The  intent  of  the  ODS  designers  was  to  show  that 
plant  operators  (who  rely  solely  on  observable  measurement  values)  have  not  developed 
diagnostic  skills  tying  unobservable  measurements  to  observed  ones  (Gallanti,  et  al.,  1989, 
p.  147).  No  surprise  there. 

ODS  typically  performed  fault  diagnosis  in  tenths  of  minutes  on  a  Symbolics 
3640  machine  with  4  megabytes  of  main  memory  (Gallanti,  et  al.,  1989,  p.  148).  No 
comparison  was  made  between  ODS  and  any  other  model-based  fault  diagnostic  system. 
Such  a  comparison  would  have  been  a  better  gauge  of  performance  than  that  with  the  rule- 
based  (empiric  knowledge)  system. 
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The  biggest  stumbling  block  for  ODS  is  its  assumption  that  all  possible 
component  malfunctions  can  be  modeled.  “Fault  and/or  malfunction  models  are  usually 
identified  for  most  subsystems  of  industrial  plants.”  (Gallanti,  et  al.,  1989,  p.  145)  This 
may  be  true  for  simple  devices  or  subsystems  such  as  a  light  switch  or  even  an  electrical 
pump,  but  becomes  exponentially  more  difficult  for  a  device  as  complex  as  a  propulsion 
boiler.  Boiler  malfunctions  can  be  modelled  efficiently  only  by  breaking  the  boiler  down 
into  component  parts  simple  enough  for  an  exhaustive  set  of  malfunction  models  to  be 
developed.  By  that  point,  propagation  of  faulty  models  would  be  virtually  the  same  as 
propagation  of  component  values  in  traditional  model-based  reasoning  systems. 

2.  Hoist 

Hoist  is  a  causal  reasoning  expert  system  based  on  qualitative  physics.  It  was 
developed  by  Whitehead  and  Roach  in  1990  (Whitehead  and  Roach,  1990).  Hoist’s 
domain  is  fault  diagnosis  in  the  lower  hoist  of  the  Mark  45  Naval  gun  turret  It  reasons 
about  machine  failures  from  a  functional  model  of  the  device,  and  is  thus  a  model-based 
reasoning  system. 

The  Hoist  developers  highlight  three  major  shortcomings  of  rule-based  expert 
systems  in  fault  diagnosis.  First,  they  caimot  handle  unanticipated  faults.  These  faults  are 
elsewhere  referred  to  as  “non-intuitive  anomalies.”  (Fulton  and  Pepe,  1990,  p.  55)  Second, 
the  develqrment  of  a  rule-based  expert  system  is  time  consuming  and  there  will,  therefore, 
be  a  lag  between  the  implementation  of  an  actual  real-world  system  and  its  corresponding 
expert  system.  Third,  updates  and  design  modifications  may  lead  to  incorrect  or 
inctmiplete  ctxiclusions  in  the  rule-based  system.  Hoist  was  designed  for  troubleshooting. 

“A  repair  expert  might  have  some  general  rules  for  isolating  faults,  but  s/he  does 
not  follow  these  rules  exclusively,  as  shallow  reasoning  expert  systems  would  imply. 
Instead,  s/he  understands  the  purpose  of  the  machine  and  knows  its  expected 
behavior.”  (Whitehead  and  Roach,  1990,  p.  109) 


Unlike  some  other  model-based  expert  systems.  Hoist’s  first  principles  are 
cause-effect  relationships  between  actual  pieces  of  hardware  and  do  not  attempt  to  describe 
actions  in  terms  of  qualitative  versions  of  physical  laws.  Since  it  models  the  gun  turret  at 
a  high  level  of  abstraction,  some  parts  of  the  system  cannot  be  accurately  described. 
However,  Hoist  designers  feel  that  the  level  of  abstraction  is  generally  sufficient  enough  to 
give  a  true  rendering  of  the  system  as  a  whole. 

Hoist  is  implemented  in  a  language  called  WIF  (What  IF),  which  is  based  on 
counterfactual  logic.  WIF  takes  a  “what  if’  introduced  by  the  user  and  assumes  it  will 
contradict  known  facts.  The  model  then  generates  all  known  worlds  (states)  which  could 
exist  is  the  counterfactual  clause  were  true.  This  is  ideal  for  troubleshooting  because 
instead  of  matching  symptoms  to  some  set  of  rules,  diagnosis  starts  by  introducing 
suspected  fault  conditions  and  ascertaining  whether  or  not  the  fault  state  can  be  reached 
given  the  “truth’’  of  the  suspected  fault. 

Hoist  runs  into  combinatoiially  explosive  situations  when  it  is  tasked  to  isolate 
multiple  faults.  However,  the  designers  claim  that  heuristic  searches  through  the  “fault 
space’’  can  reduce  the  effect  of  the  explosion.  (Whitehead  and  Roach,  1990,  p.  116) 

3.  Mathematical  Models  and  Uncertainty  Theory 

In  the  late  1980’s,  Lutcha  and  Zejda  developed  a  fault  diagnosis  system  for 
chemical  processing  units  based  on  mathematical  models  (Lutcha  and  Zejda,  1990). 
Chemical  production  plants  experience  large  financial  losses  when  abnormal  conditions 
force  a  shutdown.  Moreover,  the  potential  for  loss  of  human  life  and  the  release  of  toxic 
chemicals  is  greatly  increased.  Development  of  a  rule-based  expert  system  was  not 
considered  well  suited  for  chemical  processing  units  because  the  operamr  expertise  was 
deemed  either  inadequate  or  non-existent  in  many  new  and  modified  chemical  processes. 
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Lutcha  and  Zejda  proposed  that  all  chemical  processes,  even  the  most  complex, 
could  be  broken  down  into  smaller,  easier  handled  subsystems.  These  subsystems  could  be 
sufficiently  described  by  mathematical  equations  founded  on  the  principles  of  energy  and 
material  conservation  (Lutcha  and  Zejda,  1990,  p.  32).  These  mathematical  equations, 
called  governing  equations,  are  expressed  in  terms  of  measurable  variables,  such  as 
sensors.  Sensor  values  are  inferred  to  be  discrete,  and  a  set  structure  is  used  to  keep  all 
possible  sensor  fault  states.  Governing  equations  common  to  more  than  one  subsystem 
provide  the  articulation  points  which  link  subsystems  together  into  the  original  chemical 
process. 

Since  processes  are  broken  down  into  subsystems,  each  of  which  is  described 
by  only  a  few  governing  equations.  Boolean  logic  can  be  used  to  determine  which  sensor 
will  fail  given  any  other  values  in  the  mathematical  models.  These  “other  values”  are  actual 
measurement  values  from  the  processing  unit  Problems  arise  when  measurement  noise 
causes  the  diagnosis  to  fluctuate  oetween  two  or  more  faults.  Lutcha  and  2^jda’s  solution 
to  this  problem  is  to  introduce  a  certain  level  of  belief  of  failure  to  each  sensor  for  each 
discrete  level  of  failure  using  Shafer-Dempster  probability  mass  distributions  (p.m.d). 
Take  the  p.m.d.  for  one  governing  equation  (Lutcha  and  Zejda,  1990,  p.  34): 

ml  (Hi+,  Hi®,  Hf,  F)  =  {0.8, 0.2, 0.0, 0.0}  (eq  3.2) 

The  certainty  of  some  sensOT  state  F  being  true  is  0.8  if  the  result  of  the 
governing  equation  is  higher  than  normal  or  0.2  if  the  result  of  the  governing  equation  is 
normal.  The  latter  assumes  that  another  sensor  state  may  be  counterbalancing  F  and  further 
inftnmation  (i.e.,  from  other  governing  equations)  is  necessary  to  pinpoint  the  fault  So, 
while  straight  Boolean  reduction  results  in  only  one  fault  (which  may  fluctuate  with 


30 


fluctuating  plant  parameters),  uncertainty  theory  assumes  all  faults  are  present  and  assigns 
a  degree  of  belief  (or  weight)  to  each  one  (Lutcha  and  Zejda,  1990,  p.  35). 

Lutcha  and  Zejda  programmed  this  system  using  Turbo-Pascal  because  of  its 
ease  in  handling  data  structures  and  real  number  types.  They  are  currently  working  on 
exploiting  both  shallow  and  deep  knowledge  in  for  an  even  more  robust  expert  system. 
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IV.  THE  BOILER  SYSTEM 


Mo^l-based  reasoning  is  ideally  suited  for  developing  an  expert  system  for  a  steam 
generation  plant.  As  with  any  model,  the  better  understood  the  system  to  be  modeled,  the 
more  complete  and  robust  that  model  will  be.  To  that  end,  this  chapter  will  focus  first  on 
the  subcomponents  that  comprise  the  boiler  system  and  how  they  work  together.  The 
second  part  of  the  chapter  will  examine  what  casualty  conditions  may  arise  and  what  their 
causes  are. 

A.  BOILER  FUNDAMENTALS 

A  1200  psi  steam  plant  is  a  complex  arrangements  of  valves,  piping,  and  components 
whose  proper  operation  and  interaction  are  critical  to  the  operation  of  steam  powered  Naval 
vessels.  The  hean  of  the  plant  is  the  1200  psi  D-type  boiler. 

‘‘Boilers  use  thermal  energy  obtained  from  the  combustion  of  fuel  oil  to  change 
feedwater  into  superheated  steam  for  use  in  the  operation  of  the  main  engine,  the 
turbogenerators  and  the  main  feed  pumps.  A  portion  of  the  superheated  steam  is 
desupi^eated  for  use  in  the  operation  of  auxiliary  equipment.”  (Propulsion  Plant 
Manual,  1978,  p.  1-1) 

It  should  be  noted  that  although  BoilerModel  was  developed  based  on  the  boiler  and 
plant  configuration  of  the  FF-10S2/1078  platform,  the  implementation  is  strictly  qualitative 
(e.g.,  values  of  ‘‘LIFT_SAFE_Hr’  instead  of  ‘‘1385  psig”  for  lifting  safety  valves).  Thus, 
the  same  model  (with  minor  piping  configuration  changes)  can  be  used  for  any  Navy 
propulsion  boiler. 
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1.  Boiler  Parts 


The  boiler  components  covered  in  this  section  are  illustrated  schematically  in 
Figures  4.1  and  4.2. 


Figure  4.1 
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Figure  A3. 

The  steam  drum  is  the  largest  pressure  component  of  the  boiler  (Propulsion 
Plant  Manual,  1978,  p.l>20).  It  is  physically  located  at  the  top  of  the  structure.  The  steam 
drum  is  separated  into  two  sections.  The  bottom  half  receives  feedwater  from  the  main  feed 
pumps,  which  are  external  to  the  boiler  itself.  The  top  half  receives  saturated  steam  from 
the  generation  tubes. 

The  water  drum  is  another  large  vessel  which  acts  as  a  header,  directing  boiler 
water  up  the  various  generating  tubes.  The  water  in  this  drum  acts  as  an  indirect  cooling 
medium  for  the  desuperheater. 

The  downcomers  are  pipes  which  connect  the  steam  drum  to  the  water  drum. 
They  reside  in  the  air  casing  which  separates  the  exterior  boiler  surface  from  the  furnace 
wall.  Since  they  do  not  come  into  contact  with  direct  heat  and  suffer  virtually  no  casualties, 
the  downcomers  were  not  explicitly  modeled  in  this  project 

The  generation  tubes  provide  a  conduit  for  boiler  water  to  travel  fipon  die  water 
drum  back  to  the  steam  drum.  These  tubes  come  into  direct  contact  with  combustion  gases 
in  the  furnace  and  are  the  primary  places  where  water  becomes  steam. 


The  superheater  is  a  tube  bundle  which  receives  saturated  steam  (steam  at  its 
boiling  temperature  for  a  given  pressure)  which  becomes  superheated  as  combustion  gases 
flow  past  the  tubes. 

The  desuperheater  is  located  inside  the  water  drum.  It  is  also  a  tube  bundle  and 
uses  the  surrounding  water  to  reduce  the  temperature  of  some  of  the  superheated  steam. 

The/ue/  manifold,  located  on  the  boiler  front,  consists  of  valves  and  piping  for 
four  burners.  Atomized  fuel  is  mixed  with  combustion  air  from  the  forced  draft  blowers 
(external  to  the  boiler)  in  the  burners  and  is  sprayed  into  the  furnace. 

The  boiler  furnace  is  a  brick  and  refractory  enclosure  through  which  the 
generation  tubes  and  superheater  pass.  When  the  boiler  is  on-line,  the  furnace  is  the  home 
of  a  very  hot  fireball  of  burning  fuel  (courtesy  of  the  burners). 

The  scfety  valves  are  located  on  top  of  the  steam  drum.  They  are  adjustable, 
spring-shut  valves  that  lift  to  relieve  excess  drum  pressure  and  reseat  below  lifting  pressure. 
Without  safeties,  the  steam  drum  would  be  subject  to  accidental  rupture,  and  the  boiler 
room  would  be  a  more  dangerous  place  to  woik. 

2.  The  Boiler  in  Action 

Figure  4.3  is  a  schematic  of  the  major  frreroom  systems  and  main  steam  loads. 

The  main  feed  pumps  provide  relatively  cool  water  to  the  boiler  steam  drum. 
Because  of  the  lower  temperature  of  the  feedwater  (compared  to  the  temperature  of  the 
steam-water  mix  in  the  generating  tubes),  it  falls  naturally  down  the  downcomers  to  the 
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water  drum.  It  should  be  noted  here  that  very  pure  “feedwater”  becomes  “boiler  water” 
in  the  steam  drum,  where  chemicals  are  injected  to  maintain  pH  and  phosphate  levels. 


Figure  4  J 


The  boiler  water  is  redirected  by  the  water  drum  (which  acts  as  a  manifold)  up 
the  various  generating  banks.  Natural  circulation,  which  relies  on  the  difference  in 
densities  between  water  drum  water  and  steam  drum  steam,  is  the  motive  force  behind  this 
redirecdon.  Hie  water  in  the  generating  tubes  proceeds  to  boil  as  it  flows  through  the  tubes 
to  the  top  half  of  the  steam  drum.  In  a  normally  functioning  boiler  (safety  valves  shut). 
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there  is  only  one  place  for  the  steam  to  go:  to  the  superheater.  The  superiieater  has  several 
passes,  and  as  the  steam  flows  through  them,  its  temperature  is  raised  above  its  boiling 
temperature  (i.e.,  it  is  supeiiieated).  Supeiheated  steam,  also  called  main  steam,  is  then 
available  for  the  main  engines,  feed  pumps,  and  tubine  generators  which  require  the  high 
enthalpy  from  superheating. 

Many  steam  systems,  however,  do  not  need  steam  at  such  a  high  temperature, 
so  some  of  the  supeiheated  steam  is  directed  to  the  desuperheater,  which  uses  boiler  water 
in  the  water  drum  to  cool  the  steam  some  300  degrees.  From  the  desuperheater,  the 
auxiliary  steam  is  used  for  all  other  steam  loads,  including  heating  systems,  laundry  and 
scullery  operation,  atomization  steam,  and  forced  draft  blowers. 

Fuel  is  provided  to  the  fuel  manifold  by  the  fuel  oil  service  pump.  It  is 
atomized  by  steam  and  mixed  with  just  the  right  amount  of  air  to  bum  cleanly  and 
efficiently.  Combustion  air  is  provided  by  turbine  driven  forced  draft  blowers  via  an  air 
register  assembly  at  the  burner  front 

B.  BOILER  CASUALTIES 

Many  abnormal  conditions  may  face  a  boiler  operator.  Most  if  left  unchecked,  will 
cascade  into  more  severe  casualties,  resulting  in  equipment  damage  and/or  loss  of  life.  This 
section  will  examine  some  of  the  more  common  boiler  casualties  along  with  their 
symptoms,  indications,  and  possible  causes. 

1.  Fuel  on  Deck 

Normally,  all  fuel  supplied  to  the  burner  front  is  consumed  by  the  fireball  in  the 
furnace.  Occasionally,  though,  unbumed  fuel  may  leak  from  the  atomizer  to  the  furnace 
floor.  The  cause  of  this  problem  usually  resides  with  the  atomizer  itself;  it  has  not  been 
tightened  sufficiently  or  is  partially  clogged  by  water  or  sediment.  Occasionally,  fuel  will 
drip  on  deck  when  the  boiler  is  secured  using  the  Fuel  Oil  Quick-Qosing  Valve.  There  are 
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three  types  of  Fuel  on  Deck  casualties,  but  only  one.  Unburned  Fuel  on  Deck  with  Fires 
Secured,  is  currently  incorporated  in  BoilerModel. 

Fuel  in  this  condition  evaporates  rapidly  because  of  the  residual  heat  in  the 
furnace.  The  evaporating  fuel  will  fog  the  boiler  periscope  mirror.  A  large  amount  of  fuel 
vapors  in  the  fire  box  presents  a  potentially  explosive  situation. 

2.  White  Smoke 

A  precise  mixture  of  fuel  and  air  is  required  for  clean  combustion  (i.e.,  no 
smoke  and  minimal  soot  build-up  on  tubes).  When  the  mixture  becomes  unbalanced  and 
there  is  too  much  air  flow,  a  white  smoke  condition  may  result.  White  smoke  will  appear 
orange  in  color  through  the  boiler  periscope,  and  billows  of  whitish-grey  smoke  will  come 
from  the  stacks  topside.  Additionally,  superheater  temperature  may  be  lower  than  normal. 
In  this  condition,  unbumed  fuel  in  an  aerosol  state  (from  the  excess  air)  travels  up  the  stack. 
Since  the  stack  is  not  a  clear,  straight  path  up  from  the  furnace,  the  aerosol  may  be  diverted 
into  eddies  and  may  cool  down  enough  for  fuel  to  condense  onto  hot  surfaces,  resulting  in 
a  boiler  explosion.  Sixty  seconds  is  considered  the  maximum  time  a  white  smoke  condition 
may  exist  uncorrected.  The  likelihood  of  a  boiler  or  stack  explosion  increases  greatly  after 
that  point 

3.  Black  Smoke 

When  the  fuel/air  mixture  becomes  too  fuel-rich,  a  black  smoke  condition  will 
occur.  This  is  indicated  by  a  blacked-out  periscope  and  large  amounts  of  dark  exhaust  from 
die  stacks.  Although  not  as  dangerous  and  time  critical  as  a  white  smoke  casualty,  black 
smoke  increases  the  amount  of  soot  on  tubes  and  along  the  stack  wall,  and  increases  the 
likelihood  of  a  stack  fire. 
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4.  Low  Water 


Water  is  not  only  the  working  fluid  in  the  boiler  system;  it  is  also  the  cooling 
medium  for  the  generation  tubes  and  the  superheater.  A  low  water  condition  will  arise 
when  there  is  greater  flow  out  of  the  boiler  than  there  is  flow  in.  A  malfunctioning 
Feedwater  Control  Valve  is  frequently  the  culprit  in  a  low  water  casualty.  The  primary 
indicator  for  this  casualty  is  an  alarm  which  sounds  when  steam  drum  water  level  drops  to 
-6  inches  (i.e.,  six  inches  below  normal  water  level).  Before  and  after  the  alarm  sounds, 
steam  drum  level  can  be  tracked  directly  via  a  gauge  glass  on  the  steam  drum.  As  water 
level  continues  to  drop,  tube  ends  and  eventually  the  tubes  themselves  are  deprived  of  their 
cooling  fluid  and  become  subject  to  deformation  to  the  point  of  rupture. 

5.  High  Water 

More  water  supplied  to  the  boiler  than  steam  flow  out  will  result  in  a  high  water 
casualty.  High  water  is  not  as  catastrophic  to  the  boiler  as  low  water,  although  it  may  result 
in  the  carryover  of  water  (and  with  it,  chlorine  ions)  into  the  superheater.  Since  the 
superheater  is  made  from  stainless  steel,  it  is  subject  to  chloride  stress  corrosion  at  high 
temperatures.  The  worst  effects  of  a  high  water  casualty  are  seen  in  turbine  driven 
equipment  A  slug  of  water  carried  out  of  die  boiler  can  shatter  the  blading  of  a  turbine 
rotating  thousands  of  revolutions  per  minute.  High  water  is  indicated  by  an  alarm  when 
steam  drum  water  level  teaches  +7  inches. 

6.  Ruptured  Tube 

A  ruptured  tube  occurs  when  there  is  inadequate  heat  transfer  from  tube  surface 
to  cooling  medium.  A  frequent  cause  for  a  ruptured  tube  is  a  low  water  condition,  but  other 
causes  include  improper  boiler  water  chemistry  and  fouled  watersides.  A  ruptured  tube  is 
a  catastrophic  casualty;  the  boiler  cannot  be  immediately  restored.  Moreover,  ruptured 
tubes  often  inflict  collateral  damage  on  other  nearby  tubes  and  tm  the  furnace  brickwork. 
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A  loud  hissing,  fogged  periscope,  and  sudden  drop  in  steam  drum  pressure  are  indicators 
of  a  ruptured  tube  condition. 
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V.  AN  ADA  IMPLEMENTATION 


From  its  earliest  conception,  BoilerModel  was  meant  to  be  an  Ada  project.  Several 
factors,  including  speed,  maintainability,  and  portability  contributed  to  this  decision; 
however,  the  main  consideration  was  the  Department  of  Defense’s  embracement  of  Ada  as 
a  lingua  franca  for  future  programming  applications.  This  chapter  will  first  examine  the 
scope  of  the  BoilerModel  implementation.  Next,  it  will  assess  the  value  of  Ada  as  an 
artificial  intelligence  tool.  Finally,  the  model  implementation  and  results  from  a  test  run 
will  be  critically  reviewed. 

A  SCOPE  OF  THE  MODEL 

The  original  plan  for  BoilerModel  was  to  write  and  implement  it  on  an  IBM-type  PC 
using  Meridian  Software’s  AdaZ  (later  OpenAda)  compiler.  An  early  version  of 
BoilerModel  was  written  and  did  run  with  Ada2:;  however,  the  variable  stack  used  by  the 
compiler  later  proved  to  be  inadequate  for  the  number  of  global  variables  (and  the  size  of 
the  data  structures  in  which  these  variables  were  instantiated)  in  the  current  version  of  the 
model.  With  virtually  no  changes  to  existing  code,  the  model  was  transferred  to  a  Sun 
SPARCstation  and  the  Verdix  Ada  compiler.  The  number  and  size  of  global  variables  did 
not  adversely  affect  that  compiler. 

BoilerModel  models  a  somewhat  simplified  1200  psi  D-type  boiler,  along  with  valve 
and  piping  systems  to  and  from  major  loads  and  supporting  auxiliary  equipment.  Although 
all  propulsion  boilers  operate  the  same  in  principle,  BoilerModel’s  architecture  comes  from 
the  FF  1052/1078  class  platform.  Fmr  the  purpose  of  this  implementation,  boiler  steam 
loads  are  assumed  to  be  ’^eceive-ready”  and  boiler  auxiliaries  are  assumed  to  be  “supply- 
ready.”  This  singly  means  that  if,  for  example,  the  boiler  is  on-line  and  an  qren  path  to  the 
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Engineioom  for  main  steam  exists,  then  the  steam  will  be  used  in  the  Engineioom  (even 
though,  at  present,  there  is  no  such  end-user  in  the  model).  Likewise,  if  there  is  an  open 
piping  path  from  the  Fuel  Oil  Service  Pump,  then  fuel  will  flow  to  the  boiler  regardless  of 
the  fire  status  of  the  furnace. 

Assumptions  like  these  have  their  problems.  For  example,  the  Main  Feed  Punq)s  on 
a  frigate  are  steam  driven.  However,  since  they  have  not  been  fully  modeled  here,  they  will 
still  operate  when  steam  flow  from  the  boiler  is  secured.  The  ‘‘receive-ready”  and  “supply- 
ready”  assun^tions  should  be  viewed  as  temporarily  undeveloped  components  in  a  larger 
propulsion  plant  model.  They  currently  serve  as  a  test  harness  for  the  boiler. 

The  Automatic  Boiler  Control  (ABC)  systems  were  not  included  in  this  model;  they 
are  complex  enough  to  comprise  a  separate  project.  Since  they  are  measurable,  interacting 
physical  systems,  they  can  also  be  implemented  in  a  model-based  reasoning  system  to  work 
with  BoilerModel. 

Finally,  a  valve  which  does  not  exist  on  tiie  real-world  boiler  was  included  in  this 
model.  The  Virtual  Supeiiieater  Outlet  was  added  so  the  user  could  observe  tiie  effects  of 
stopping  all  steam  flow  from  the  boiler.  A  later  version  of  BoilerModel  should  contain  a 
more  versatile  user  interface  which  would  allow  the  user  to  change  more  than  one  valve 
status  OT  characteristic  per  scenario.  That  vosatility  is  currently  lacking. 

B.  ADA  IN  ARTinCIAL  INTELLIGENCE 

The  typical  benchmark  in  artificial  intelligence  technology  is  “adequacy”-  does  the 
system  provide  acceptably  correct  answers  or  diagnoses  in  an  acceptable  amount  of  time  or 
detail?  Programs  have  generally  been  prototyped  in  one  of  the  standard  AI  languages,  such 
as  LISP,  and  once  developed,  translated  into  a  more  efficient  language  (e.g.,  C  cr  Pascal). 
(Baker,  1987,  p.  39) 
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Ada  provides  an  alternate  solution.  Its  rich  data  types,  capability  for  multitasking, 
and  strong  typing  requirements  are  some  of  the  reasons  Ada  can  and  should  be  used  from 
initial  program  development  through  implementation  of  the  fmal  product. 

“Ada  is  a  language  that  directly  embodies  many  modem  software  engineering 
principles  and  is  therefore  an  excellent  vehicle  with  which  to  express  programming 
solutions.  Ada  not  only  encourages  the  use  of  good  design  and  programming 
practices  but . . .  it  can  actually  enforce  such  practices.”  (Booch,  1987,  p.  4) 

This  section  will  focus  on  the  characteristics  of  Ada  which  can  make  it  a  preeminent 
artificial  intelligence  tool. 

1.  Data  Types  and  Strong  Typing 

Virtually  anything  that  can  be  modeled  can  be  modeled  using  Ada  types.  There 
are  four  categories  of  Ada  types;  scalar  types,  composite  types,  access  types,  and  private 
types  (Booch,  1987,  p.  104).  Scalar  types  describe  values  consisting  of  a  single  component. 
They  include  integers,  reals,  and  enumeration  types  (e.g.,  characters  or  Booleans). 
Composite  types  deal  with  objects  that  are  logically  composed  of  different  components, 
such  as  array  and  record  types.  Access  types  are  dynamically  created  and  destroyed  objects 
that  may,  by  reference,  belong  to  more  than  one  other  object  Access  types  are  known  as 
pointers  in  C  and  Pascal.  Private  types  allow  the  developer  to  explicitly  deHne  die  stracture 
and  value  of  a  type  and  provide  for  the  usor  only  those  operations  necessary  for  the 
manipulation  of  object  attributes  consistent  with  design.  The  integrity  of  an  object  declared 
as  a  private  type  is  thus  ensured  (Bennett  1991,  p.  33). 

Ada  is  a  strongly  typed  language.  This  means  that  variables  of  a  certain  type 
can  assume  only  those  values  which  are  appropriate  for  that  type.  Additionally,  operations 
perfOTmed  on  a  variable  must  be  predefined  in  the  type  definition  for  that  variable  type.  For 
exanqile,  suppose  the  enumeration  type  MEASUREMENT.VALUE  was  declared  (with 
HIGH,  LOW,  and  RESULT  instantiadmis  of  that  type)  and  a  programmer  wrote  the 
following  line  of  code; 
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RESULT:*  HIGH  +  LOW; 

The  C(»n|>iler  would  reject  the  program  because  enumeration  types  have  no  deHned 
addition  operator.  Other  languages,  such  as  Lisp,  would  allow  such  a  line  of  code  to 
compile,  but  would  yield  some  unpredictable  result  if  that  line  were  invoked.  Ada  is  thus 
a  more  difficult  language  in  which  to  write  a  compilable  program,  but  that  program  will 
yield  ctnrrect  and  consistent  results  when  run.  The  advantage  here  lies  in  the  fact  that 
compiler  errors  are  usually  identffied  by  line;  debugging  is  a  matter  of  correcting  that  error 
(which  may  not  be  a  trivial  exercise).  Run>time  errors  do  not  explicitly  identify  which 
section  of  the  program  was  at  fault  and  can  lead  to  hours  of  line-by-line  examination  of 
code. 

Ada  data  structures  range  from  the  common  (linked  lists)  to  the  reusable 
(generic  program  units).  They  can  be  used  as  abstractions  of  leal-wwld  objects  or  as 
logical  groupings  for  related  types.  Their  versatility  is  limited  only  by  the  typing 
constraints  of  their  component  types  and  the  memory  constraints  of  the  compiler.  Because 
they  can  be  precisely  tailored  for  a  given  application,  they  are  ideal  for  use  in  model-based 
reasoning  systems  which  depend  on  accurate  compcment  definition  and  inter-component 
connectivity. 

2.  Multitasking 

An  Ada  task  is  (me  of  the  primary  inx>gram  units  of  the  language  (along  with 
subprograms  and  packages).  Tasks  may  or  may  not  ccmimunicate  with  other  program  units, 
and  may  be  assigned  different  priorides.  All  tasks,  however,  have  one  thing  in  comnoon: 
they  are  designed  fcvcxmcurrem  processing.  A  machine  widi  three  processors  can  run  three 
tasks  from  the  same  |»ogram  at  the  same  dme.  A  machine  with  uafynaeprasanr  must 
rely  on  an  implementadon-dependent  scheduler  which  may  not  necessarily  be  ‘Tair’' 
(Booch,  1987,  p.  282).  Mtneover,  most  Ada  (mmpilers  contain  some  s(«  of  time-slicing 
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algorithm  that  can  be  used  to  simulate  concurrent  processing  (the  state  of  the  task  when  its 
time  slice  has  expired  is  saved  and  it  is  at  that  point  that  the  task  will  resume  when  it  gets 
a  new  slice). 


There  are  two  general  classifications  of  tasks:  actor  tasks  and  server  tasks. 
Actor  tasks  are  not  called  (or  “entered”)  by  wy  other  tasks  or  program  units  and  are  thus 
continuously  active.  They  may,  in  turn,  activate  other  tasks  with  visible  entry  points. 
Server  tasks  have  entry  points  but  cannot  activate  any  odier  tasks.  Tasks  which  are  hybrids 
of  these  two  types  can  be  created.  (Booch,  1987,  p.  283) 

(3are  must  be  taken  to  ensure  that  tasks  do  not  inadvertently  corrupt  variables 
shared  with  other  tasks.  For  example.  Task  A  uses  the  value  of  a  variable  x  in 
computations.  It  must  be  guaranteed  that  if  Task  A  is  preempted  by  a  higher  priority  task 
or  its  time  slice  has  expired  before  the  end  of  the  task,  then  no  other  task  will  corrupt  x 
before  Task  A  can  complete  its  computations. 

In  a  steam  generation  plant,  several  events  occur  simultaneously.  Steam  flows 
through  piping  systems  at  the  same  time  as  fiiel  is  supplied  to  the  boiler  at  the  same  time  as 
feedwater  is  pumped  into  the  steam  drum.  Ada  tasks  are  outstanding  tools  for  modeling  the 
cause-effect  relationships  in  such  a  systeno.  Fmr  example,  when  fires  go  out  in  a  real-world 
boiler,  steam  flow  out  of  the  generation  tubes  is  immediately  reduced.  Two  tasks,  one 
which  concerns  itself  with  boiler  fires  management  and  another  which  monitors  steam  flow 
through  boiler  tubes  could  run  independently  yet  share  a  common  variable:  boiler  fire  status 
(changeable  only  by  the  fires  manager).  Now,  instead  of  having  the  disjointed  nest  of  tfand 
case  statements  and  an  uiuealistic  sequence  of  events  common  in  a  sequential  processing 
system,  one  can  realistically  model  events  which  occur  concurrently. 
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3.  Portability  and  Speed 

A  machine-dependent  artificial  intelligence  application  is  useful  only  as  long 
as  the  particular  machine  is  available,  affordable,  and  multi-purpose.  Similarly,  programs 
written  in  languages  lacking  a  common  standard  are  neither  easily  maintained  nor  readily 
integrated  into  other  applications  written  in  different  dialects  of  the  same  language,  lisp 
and  C  are  languages  in  which  portability  can  be  a  problem.  C  is  generally  portable,  but 
libraries  vary  from  implementation  to  implementation.  Since  C  is  a  language  of  functions, 
this  can  be  a  difficult  problem  to  overcome  (Baker,  1987,  p.  40).  Lisp  has  traditionally  been 
very  nonportable  (Baker,  1987,  p.  40),  although  efforts  have  been  made  to  standardize 
Common  lisp.  Ada  is  currently  the  most  portable,  “although  at  present  this  portability  is 
limited  by  the  availability  of  Ada  compilers  and  support  environments.”  (Baker,  1987,  p. 
40)  Since  an  Ada  compiler  may  only  be  authorized  for  use  in  DoD  applications  if  it 
conforms  to  the  ANSI/MIL-STD-1815A  requirements  promulgated  by  the  Department  of 
Defense,  it  can  be  a  time  and  money  consuming  proposition  to  build  a  compiler.  There  are, 
however,  several  more  on  the  market  since  Baker  (1987),  and  they  are  affordable.  Ada’s 
portability  was  put  to  the  test  during  the  development  of  BoilerModel.  Code  for  an  early 
version  of  the  project  that  had  compiled  and  was  successfully  running  on  an  80286  noachine 
was  transferred  in  ASCII  format  to  a  UNIX  based  Sun  system.  No  changes  to  the  code  were 
needed  for  it  to  compile  and  run  on  the  new  system. 

Ada  generates  code  which,  while  probably  somewhat  slower  than  C  code,  is 
markedly  faster  than  Lisp.  This  comes  as  no  surprise;  “Lisp  programs  are  great  consumers 
of  memory  and  often  CPU  time.”  (Baker,  1987,  p.  39)  One  of  the  design  considerations  for 
Ada  was  real-time  control  (for  use  in  embedded  systems).  To  that  end,  one  of  the  three 
goals  established  by  the  Ada  language  temi  was  ^ciency.  “Any  language  construct 
whose  implementation  was  unclear  or  required  excessive  machine  resources  was  rejected.” 
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(Booch,  1987,  p.  54)  Ada’s  speed  would  be  of  great  advantage  in  real-time  expert  systems, 
such  as  autonomous  vehicle  control  and  robot  sensor  processing. 

4.  Readability  and  Maintainability 

An  argument  can  be  made  that  Ada  code  is  easier  to  read  than  Lisp  code  for 
most  people  raised  on  traditional  programming  (Baker,  1987,  p.  43).  Its  English-like 
syntax  (no  car’s  or  cdr’s,  thank  you),  minimal  use  of  parentheses,  and  modular  design 
certainly  enhance  its  appeal.  If  the  language  is  more  readable,  then  it  will  probably  be  more 
maintainable.  “Since  Ada  is  a  highly  structured  language,  it  is  easy  to  maintain  the  original 
structure  of  the  system  while  modifying  pieces.’’  (Booch,  1987,  pp.  422-23)  Of  course,  the 
bottom  line  as  far  as  readability  goes  will  probably  be  personal  preference.  Ada  supporters 
claim  that  an  Ada  program  can  be  understood  easily  and  translated  into  other  langi  ages 
(Baker,  1987,  pp.  39, 40).  In  fact,  this  claim  is  used  to  promote  the  general  utility  of  the 
language.  Can  Lisp  supporters  make  such  a  claim? 

C.  ADA  vs.  LISP  ..  A  CASE-BASED  COMPARISON 

An  early  version  of  BoilerModel  (hereafter  referred  to  as  ProtoBoiler  to  differentiate 
it  from  the  final  version)  that  did  not  incoiporate  Ada’s  tasking  constructs  was  compared 
to  the  same  program  written  in  Lisp.  The  code  fOT  both  these  programs  can  be  found  in 
Appendix  C.  It  should  be  noted  here  that  the  Lisp  program  was  written  as  functionally  as 
possible  to  ensure  that  the  comparison  fairly  evaluated  an  Ada  program  against  a  Lisp 
program  as  they  are  conventionally  written.  Tables  S.l,  5.2,  and  5.3  synopsize  the  results 
of  the  test  The  Lisp  code  was  written  and  run  in  the  Allegro  Common  Lisp  environment 
in  both  an  uncompiled  and  a  compiled  version.  The  difference  in  speed  is  at  the  expense 
of  storage  (16.2  K  vice  36.7  K).  Since  memory  is  no  longer  a  consideration  for  all  practical 
purposes,  this  trade-off  is  worthwhile.  Additionally,  both  Lisp  versions  have  time  for 
“garbage  collection’’  and  “non-garbage  collection’’  use  of  the  CPU.  Garbage  collection 
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means  that  when  usable  memory  is  full,  the  processor  stops  what  it  is  doing  to  recover 
unreferenced  memory  (Baker,  1987,  p.  40).  Although  garbage  collection  does  vary 
depending  on  system  usage,  it  is  a  real  time  consumer  which  must  be  taken  into 
consideration.  The  Ada  compiler  performs  garbage  collection  only  once,  at  compile  time. 
All  conparisons  were  made  at  the  same  time  of  day,  with  similar  system  loads. 


ADA 

TIME  (SEC) 


VALVE 

TRACE 

use!^ 

SYSTEM 

TOTAL 

FOCV 

Y 

0.3 

1.3 

1.6 

FOCV 

N 

0.0 

0.1 

0.1 

MSS 

Y 

0.1 

0.3 

0.4 

MSS 

N 

0.0 

0.0 

0.0 

FEED  STOP 

Y 

0.0 

0.3 

0.3 

FEED  STOP 

N 

0.0 

0.1 

0.1 

TESTl* 

Y 

0.7 

2.3 

3.0 

TESTl* 

N 

0.0 

0.2 

0.2 

Storage:  code  15799  bytes 

executable  229376  bytes 

•  TESTl  closes  FOCV,  then  DESUP-IN,  then  MSS 


Table  5.1 
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UNCOMPILED  LISP 


NON-GC  TIME 
(SEC) 

GCTIME 

(SEC) 

VALVE  TRACE 

1 

USER 

1 

SYSTEM 

r 

USER 

- 1 

SYSTEM 

TOTAL 

FOCV 

Y 

9.3 

2.9 

0.9 

0.9 

14.0 

FOCV 

N 

i.O 

0.8 

0.0 

0.0 

1.8 

MSS 

Y 

3.0 

4.7 

0.0 

0.0 

7.7 

MSS 

N 

0.8 

0.7 

0.0 

0.0 

1.5 

FEED  STOP 

Y 

2.9 

4.6 

0.0 

0.0 

7.5 

FEED  STOP 

N 

0.7 

0.8 

0.0 

0.0 

1.5 

TESTl* 

Y 

17.6 

5.9 

1.7 

1.1 

26.3 

TESTl* 

N 

1.7 

0.6 

0.0 

0.0 

2.3 

Storage:  code  16228  bytes 
•  TESTl  closes  FOCV,  then  DESUP-IN,  then  MSS 


Table  5.2 
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COMPILED  LISP 

NON-GCTIME  GCTIME 

(SEC)  (SEC) 


VALVE  TRACE 

r" 

USER 

1 

SYSTEM 

USER 

1 

SYSTEM 
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FOCV 

Y 
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2.3 
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0.0 

6.0 
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N 
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0.3 
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Y 
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1.7 

MSS 

N 

0.2 
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0.2 

FEED  STOP 

Y 

1.0 

0.6 

0.0 

0.0 

1.6 

FEED  STOP 

N 

0.2 

0.1 

0.0 

0.0 

0.3 

TESTl* 

Y 

7.5 

4.1 

0.0 

0.0 

11.6 

TESTl* 

N 

0.6 

0.2 

0.0 

0.0 

0.8 

Storage:  code  36710  bytes 
•  TESTl  closes  FCXJV,  then  DESUP-IN,  then  MSS 


Table  5  J 


Four  test  cases  were  used  in  the  comparison.  The  first  three  propagated  changes 
when  <me  valve  was  closed  (Fuel  Oil  Control  Valve  in  case  1,  Main  Steam  Stop  in  case  2, 
and  Main  Feed  Stop  in  case  3).  The  fourth  case  closed  three  valves  (Fuel  Oil  Control  Valve, 
Desup^eater  Inlet,  and  then  Main  Steam  Stop).  The  four  cases  represent  die  major 
systems  integrated  in  ProtoBoiler.  Each  case  was  run  with  "trace**  on  and  **Baoe’*  off. 
‘Trace”  enables  the  user  to  watch  the  propagation  of  values  as  they  occur.  Wldi  **trace” 
off,  the  user  would  only  see  the  initial  and  final  plant  statuses. 
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The  Ada  program  ran  consistently  faster  than  either  Lisp  version.  “TESTl,"  which 
closes  multiple  valves,  ran  almost  nine  times  faster  than  uncompiled  Lisp  and  almost  four 
times  faster  than  the  compiled  Lisp  version  (all  three  with  “trace”  on).  The  Ada  code 
required  15.8  K  storage  versus  16.2  K  and  36.7  K  for  the  uncompiled  and  compiled  lisp 
versions,  respectively.  The  executable  Ada  program  (which  runs  independently  in  the 
UNIX  shell)  required  229.4  K.  The  lisp  code  requires  the  Allegro  environment  to  run. 
Although,  as  previously  asserted,  memory  is  not  a  big  concern  in  the  test  environment  (Sun 
SPARCTstation  with  UNIX  operating  system),  the  size  of  the  executable  code  or  all  systems 
required  to  run  the  program  may  be  a  consideration  for  other  machines.  PC’s  running  MS- 
DOS  or  PC-DOS  may  be  limited  to  executable  files  less  than  640  kilobytes. 

D.  DATA  TYPES  AND  STRUCTURES  IN  BOILERMODEL 

The  code  for  BoilerModel  can  be  found  in  Appendix  A.  The  prominent  data  types 
used  are  simple  enumeration  types,  arrays,  and  records.  The  main  data  structure  used  is  the 
linked  list  This  section  will  examine  in  detail  BoilerModel’s  two  major  records,  VALVE 
and  BOILER.  In  the  course  of  this  examination,  all  important  data  types  and  structures 
used  in  diis  implementation  will  be  covered. 

1.  VALVE  Record 

Type  VALVE  is  a  record  that  contains  all  the  information  and  parameters 
necessary  for  valve  operation  in  BoilerModel.  Each  valve  in  the  system  is  an  instantiation 
of  an  access  type,  VALVE_PTR,  which  points  to  a  valve  record.  The  valves  in 
BoilerModel  are  connected  in  a  linked  list  structure.  The  fields  of  type  VALVE  will  be 
discussed  in  this  subsection. 
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a.  VALVEJD 


VALVE.ID  is  an  instantiation  of  a  previously  declared  enumeration 
type,  INDEX.  It  permits  identification  of  an  individual  valve  in  the  user  trace  function 
since  the  name  of  an  access  type  instance  cannot  be  output 

b.  UPSTREAM  and  DOWNSTREAM 

UPSTREAM  and  DOWNSTREAM  are  arrays  of  type  VALVE_PTR. 
They  contain  pointers  to  the  valves  which  are  immediately  upstream  or  downstream  of  each 
valve.  Ntmnally,  there  is  only  one  valve  in  each  of  these  arrays;  however,  some  valves, 
such  as  MAIN_STEAM_STOP,  act  as  distributors  for  several  downstream  systems  or 
receivers  from  multiple  sources  and  thus  require  several  valves  in  one  of  the  two  arrays. 

c.  COUNTED 

The  list  containing  the  valves  is  circularly  linked  to  allow  monitoring  by 
a  procedure  that  checks  for  flow  in  the  system  (to  be  discussed  later).  The  Boolean 
COUNT  is  used  to  prevent  endless  cycling  through  the  list  when  a  single  traversal  is 
needed. 

d.  NEXT 

NEXT  is  the  VALVE_PTR  that  acts  as  the  coimector  in  the  linked  list  of 

valves. 

e.  STATUS 

The  STATUS  of  a  valve  is  either  OPEN  or  SHUT.  OPEN  and  SHUT  are 
instances  of  the  enumeration  type  MEASUREMENT_VALUE.  PREV_STATUS  is  the 
status  of  a  valve  the  last  time  the  propagation  task  looked  at  it 
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/.  Pressure  and  Flow 

Pressure  and  flow  in  and  out  of  a  valve  are  maintained  as  distinct  flelds. 
They  are  of  type  MEASUREMENT_VALIJE  and  can  take  on  the  values  of  NONE,  LOW, 
NORM,  HIGH,  and  LIFT_SAFE_HI.  Each  input  and  output  pressure  and  flow  has  a 
corresponding  “PREV_”  field  which  holds  the  value  its  counterpart  held  the  last  time  the 
propagation  task  looked  at  it 

g.  SYSTEM 

Each  valve  belongs  to  one  of  four  systems:  STEAM.SYSTEM, 
AIR_SYSTEM,  FUEL_SYSTEM,  or  FEED_SYSTEM.  All  systems  are  arrays  of 
VALVE.PTR.  Since  it  is  possible  that  propagation  of  values  can  occur  concurrently  in  two 
systems,  this  field  allows  the  value  of  COUNTED  to  be  reset  in  one  system  widiout 
affecting  any  other. 

2.  BOILER  Record 

Type  BOILER  is  a  record  of  other  records.  Its  constituent  members  consist  of 
STEAM_DRUM  and  WATER_DRUM  (instances  of  type  DRUM),  SUPERHEATER, 
DESUPERHEATER,  and  GENERATIONJTUBES  (instances  of  type  TUBE),  and 
FURNACE  (an  instance  of  type  BOILER.RJRNACE).  The  field  types  (DRUM,  TUBE, 
and  BOILER.FURNACE)  will  be  discussed  in  this  subsection. 

a.  DRUM 

Type  DRUM  is  a  record  whose  fields  are  all  instantiations  of  type 
MEASUREMENT_VALUE.  WATER_LEVEL  may  take  on  the  values  NONE, 
LOW_ALARM,  LOW,  NORM,  HIGH,  and  HIGH_ALARM.  PRESSURE,  FLOW.IN, 
and  FLOW.OUT  are  similar  in  nature  to  their  counterparts  in  type  VALVE.  TEMP 
(temperature)  can  assume  the  values  LOW,  NORM,  or  HIGH.  It  has  no  meaning  for  the 
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water  drum  (where  it  is  not  measured  in  a  real-world  boiler),  and  is  not  shown  on  the  boiler 
status  di^lay.  There  are  “PREV_”  values  for  all  these  fields,  as  in  type  VALVE,  These 
values,  however,  are  not  used  for  propagation  purposes,  but  are  used  in  determining 
whether  an  updated  boiler  status  needs  to  be  displayed. 

b.  TUBE 

Type  TUBE  is  a  record  that  contains  values  for  input  and  output  flow  and 
tempmture  of  a  tube.  There  is  a  Boolean,  RUPTURE,  that  is  set  when  a  tube  is  ruptured. 
There  are  “PREV_”  values  for  all  these  Belds.  One  final  element  of  type  TUBE  is  another 
Boolean,  DIRECT_HEAT_CONTACT.  The  procedure  that  checks  for  a  ruptured  tube 
must  first  ascertain  whether  or  not  the  tube  in  question  comes  into  direct  contact  with 
flames  or  combustion  gases.  If  it  does  not  (as  is  the  case  of  the  desuperiieater),  a  rupture 
due  to  inadequate  flow  through  the  tube  will  not  occur. 

c.  BO!LER_FURNACE 

Type  BOILER.FURNACE  contains  much  of  the  data  needed  to 
cmrectly  diagnose  m*  propagate  casualties.  Real-world  boiler  operators  rely  heavily  on 
infonnation  directly  or  indirectly  observed  from  the  furnace.  The  BOILER_FURNACE 
fields  are  detailed  in  this  subsection. 

(1)  DECK_STATUS.  DECK_STATUS  indicates  whether  ot  not  there 
is  fuel  on  the  deck  of  the  fiimace. 

(2)  FIRING.RATE.  FIRING_RATE  nwasures  die  intensity  of  die 
boiler  fireball,  and  varies  direcdy  with  fuel  manifold  input  pressure.  HRING.RATE  is  one 
of  the  controllers  of  steam  drum  pressure.  It  may  take  on  the  values  of  NONE,  LOW, 
NORM,  and  HIGH. 
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(3)  EXPLOSION.  EXPLOSION  is  a  Boolean  that  indicates  the 
presence  or  absence  of  a  boiler  explosion. 

(4)  PERISCX)PE.  The  boiler  periscope  can  give  an  indication  of  a  white 
or  black  smdte  condition  or  fuel  on  deck.  PERISCOPE  can  assume  the  values  of  CLEAR, 
BLACK,  ORANGE,  or  FOGGED. 

(5)  FIRES_LIT.  FIRES_LIT  is  a  Boolean  indicating  the  status  of  boiler 
fires,  and  thus  the  boiler  itself  (a  boiler  is  considered  off-line  when  fires  are  extinguished). 

(6)  FIRE_APPEARANCE.  Boiler  fires  may  appear  FAN_SHAPED 
(normal)  or  IRREGULAR.  IRREGULAR  fire  appearance  indicates  a  smoke  condition,  an 
air  problem,  or  a  fuel  problem. 

(7)  Previous  Values.  The  above  fields  have  corresponding  “PREV_” 
fields  to  facilitate  boiler  status  display  updates. 

E.  BOILERMODEL  TASKS 

Four  tasks  drive  BoUcrModcl:  PROPAGATE,  STEAM_DRUM_MANAGER, 
FIRES.MANAGER,  and  TUBE_MANAG0(.  They  are  all  actor  tasks,  each  embedded  in 
a  hop  statement  Thus,  once  activated,  they  continually  perform  updates  and  constraint 
propagation.  Since  they  ate  all  of  the  same  priority,  they  are  scheduled  using  an 
implementation-defined  First-In,  First-Out  ready  queue. 

It  should  be  noted  here  that  the  main  procedure  of  any  Ada  program  is  an  implicit 
task.  Procedure  MAIN  in  BoilerModel  is  no  different  It  is  assigned  a  higher  priority  than 
any  other  task  so  it  can  perform  boiler  and  plant  initialization  before  propagation  begins 
(unpredictable  and  erroneous  results  occurred  when  MAIN  was  assigned  a  priority  equal  to 
the  otiier  tasks).  MAIN  provides  user  interface  by  querying  the  user  about  what  valve  status 
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CM*  characteristic  to  change  and  displaying  boiler  status  when  a  boiler  parameter  has  been 
changed. 

This  section  will  describe  the  function  of  the  four  explicit  tasks  that  are  the 
workhorses  for  BoilerMcxlel.  The  structural  relationships  of  program  units  can  be  found  in 
Appendix  D. 

1.  PROPAGATE 

Task  PROPAGATE  takes  a  look  at  current  and  previous  status,  pressure,  and 
flow  for  each  valve  in  the  linked  list  of  plant  valves.  If  a  current  and  previous  parameter  of 
a  valve  do  not  match,  it  must  mean  that  some  value  was  propagated  to  that  valve  and  must 
continue  pit^gating  until  it  reaches  a  sink  (user)  cm*  a  dead  end.  To  do  this,  PROPAGATE 
calls  procedure  PROPAGATC.VALVE.VALUES. 

PROPAGATE_VALVE_VALUES  first  determines  whether  the  valve  undo* 
consideration  is  open  cxr  shut  If  it  is  open,  then  output  pressure  and  flow  are  assigned  the 
same  values  as  input  pressure  and  flow  (much  the  same  as  in  the  simple  valve  and  piping 
arrangement  in  Figure  2.2)  If,  on  the  other  hand,  the  valve  in  question  is  shut  then  output 
pressure  and  flow  from  that  valve  is  reduced  to  nothing.  AdditicMially,  a  determination  must 
be  made  as  to  whether  there  is  flow  in  the  parent  system  with  that  valve  shut 
PROPAGATE_VALVE_VALUES  calls  procedure  CHECX;_FOR_FLOW  to  make  that 
determination. 

CHECK_FOR_FLOW  recursively  moves  upstream  one  valve  and  then 
performs  a  depth-first  search  for  an  open  path  to  a  sink.  If  such  a  path  is  found,  one  of  the 
input  paramenters,  FLOW  (a  Boolean),  is  set  to  true;  otherwise,  it  remains  false. 

In  the  case  that  no  path  can  be  found  from  source  to  sink  in  a  system,  an 
overpressurizaticm  will  occur.  Procedure  OVER_PRESSURE  nooves  recursively  upstream 
from  the  original  valve,  propagating  HIGH  output  and  input  pressures.  Task 
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PROPAGATE  will  pick  up  the  lack  of  output  pressure  and  flow  finom  a  shut  valve  and 
conduct  nonnal  propagation  of  values  downstream. 


Procedure  PROPAGATE_VALVE_VALUES  does  two  final  things.  First,  it 
resets  all  “PREV_”  values  for  the  affected  valve.  Second,  it  assigns  the  output  pressure  and 
flow  of  the  subject  valve  to  each  of  the  valves  immediately  downstream.  Task 
PROPAGATE  will  pick  up  the  changes  to  these  new  valves  next  time  through  its  loop;  thus, 
constraint  propagation  through  a  valve  and  piping  system  is  effected. 

2.  STEAM_DRUM_MANAGER 

Task  STEAM_DRUM_MANAGER  regulates  water  level  in  the  boiler  steam 
drum.  To  do  this,  it  compares  the  flow  into  the  steam  drum  with  the  flow  out  The  flow 
through  the  boiler  tubing  itself  is  controlled  by  another  task,  TUBE_MANAGER.  If  there 
is  more  flow  into  the  boiler  than  flow  out,  water  level  will  increase  first  to  a  HIGH 
condition  and  then  to  HIGH.ALARM  (signalling  a  High  Water  casualty).  If  the  flow  out 
of  the  boiler  is  greata  than  the  flow  in,  water  level  drops  to  LOW,  and  then  to 
LOW.ALARM  (a  Low  Water  casualty).  NORM  water  level  is  the  equilibrium  condition. 

STEAM_DRUM_MANAGER  also  controls  safety  valve  operation.  If  the 
input  pressure  to  the  VIRTUAL_SH_OUTLET  is  HIGH,  then  steam  drum  pressure  will 
rise  to  UFT.SAFE.HI  and  safety  valves  will  OPEN.  Safety  valves  are  small  in 
comparistm  to  stop  valves  (such  as  the  Main  Steam  Stop  and  Auxiliary  Steam  Stcq?)  on  a 
real-wOTld  boiler.  Consequently,  steam  drum  pressure  caiuiot  drop  fiom  LIFT_SAFE_HI 
to  NORM  instantly.  To  realistically  simulate  the  slower  drop  in  pressure, 
STEAM_DRUM_MANAGER  calls  procedure  INCREMENTAL_DECREASE. 
INCREMENTAL.DEC^REASE  drops  steam  drum  pressure  from  LIFT_SAFE_HI  to 
HIGH  to  NORM  with  delays  at  each  drop.  Safety  valves  will  not  shut  until  steam  drum 
pressure  is  NORM  because  safety  valves  reseat  at  a  lower  pressure  than  they  lift. 
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Delay  statements,  which  have  the  effect  of  blocking  and  rescheduling  a  task, 
have  been  added  at  various  points  in  the  tasks.  Since  the  routine  to  display  boiler  status  is 
called  from  procedure  MAIN  (an  implicit  task),  strategically  placed  delays  permit  a  more 
comprehensive  view  of  boiler  changes. 

3.  FIRES_MANAGER 

Task  FIRES.MANAGER  controls  steam  drum  pressure  by  regulating  firing 
rate  based  on  fuel  manifold  output  pressure.  In  a  real-world  boiler,  an  Automatic 
Combustion  Control  (ACC)  system  regulates  fuel  and  air  pressure  (and  therefore  firing 
rate)  to  maintain  normal  steam  drum  pressure.  The  ACC  syston  is  one  part  of  the 
Automatic  Boiler  Controls  system  which  was  not  incorporated  in  BoilerModel.  However, 
to  miiror  real-world  boiler  operations  as  closely  as  possible,  boiler  firing  rate  (more 
accurately.  Fuel  Oil  Control  Valve  output  pressure)  changes  only  when  steam  drum 
pressure  varies  from  NORM.  When  drum  pressure  is  greater  than  NORM,  Bring  rate 
decreases:  when  steam  drum  pressure  drops  below  NORM,  firing  rate  increases.  When 
steam  drum  pressure  reaches  NORM,  firing  rate  becomes  NORM.  In  a  real-world  steam 
generation  system,  NORM  depends  on  the  boiler  loads  (NORM  is  greater  when  the  ship 
travels  at  higher  speeds,  for  example).  So,  even  though  the  boiler  firing  rate  may  not 
change  quantitatively  during  the  transition  fiom  abnormal  to  normal  steam  drum  pressure, 
it  does  change  qualitatively  to  reflect  the  new  normal  fuel  and  air  demand  for  the  changed 
steam  load. 

The  boiler  furnace  parameters  are  also  controlled  by  FIRES.MANAGER  via 
a  set  of  constraints.  The  constraints  constitute  the  necessary  preconditions  for  fiimace 
values  to  be  other  than  ntnmal.  For  example,  if  thoe  is  a  path  for  fuel  into  the  boiler  and 
the  fuel  is  being  supplied  and  fires  happen  to  be  extinguished,  then  the  furnace  deck  will 
have  fuel  on  it  and  the  periscope  will  be  fogged.  How  the  constraint  values  come  to  be  is 
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of  no  concern  to  FIRES_MANAGER;  only  the  cause-effect  relationships  across  the 
furnace  subcomponents  is  regulated.  Hence,  fuel  pressure  of  NONE  to  the  boiler  can  result 
from  task  PROPAGATE,  while  a  fire  appearance  of  NONE  and  LOW  steam  drum  pressure 
are  effected  by  task  FIRES_MANAGER. 

4.  TUBE_MANAGER 

Task  TUBE.MANAGER  controls  the  flow  of  water  and  steam  through  the 
boiler,  from  the  Manual  Qieck  Valve  output  to  the  Main  and  Auxiliary  Steam  Stops. 
Figure  5.1  is  a  schematic  representation  of  boiler  flow.  TUBE_MANAGER  ensures 
connectivity  by  assigning  values  for  component  input  flow  based  on  the  appropriate 
component  output  flow. 


Figure  5.1 
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TUBE_MANAGER  calls  procedure  RUPTURED_'nJBE_CHECK  for  each 
of  the  boiler  tube  bundles.  If  the  flow  into  a  tube  is  less  than  the  flow  out  for  an  extended 
period  of  time,  then  tube  temperature  will  rise.  If  the  tube  is  actively  exposed  to 
combustion  gases  (i.e.,  FIRES_LIT:=  TRUE  and  DIRECT_HEAT_CONTACT:=  TRUE), 
then  a  rupture  will  occur  if  flow  is  not  normalized. 

F.  RESULTS 

The  results  of  a  comprehensive  test  run  of  BoilerModel  can  be  found  in  Appendix  B. 
The  user  interface  permits  the  user  to  choose  between  changing  a  valve  characteristic  or  a 
valve  status.  The  characteristics  that  can  be  changed  are  input  flow  and  input  pressure. 
Each  can  be  changed  to  none,  low,  norm,  or  high.  Altering  a  characteristic  allows  user 
control  over  what  values  will  propagate  and  where  propagation  will  start.  A  change  in 
valve  status  more  accurately  mirrors  how  an  operator  can  effect  changes  to  the  plant;  by 
opening  or  closing  a  valve.  Both  methods  of  change  were  undertaken  in  the  test  run. 

In  all  cases,  the  end  results  of  propagation  match  the  expected  results  in  a  real-world 
boiler  system.  This  is  a  good  thing,  but  could  have  been  accomplished  without  difficulty 
using  a  rule-based  expert  systeta  The  model-based  nature  of  BoilerModel,  however, 
permits  the  user  to  incrementally  trace  changes  as  they  propagate  through  the  system. 
Moreover,  at  any  point  in  time  the  plant  status  is  relatively  accurate;  events  occur  and  are 
displayed  in  correct  relation  to  other  events.  (e.g.,  propagation  of  low  steam  pressure 
through  the  main  steam  system  can  occur  only  after  the  user  can  see  that  something 
happened  to  change  steam  drum  pressure).  One  of  the  test  cases,  shutting  the  Feedwater 
Control  Valve,  will  be  examined  in  this  section. 

When  the  Feedwater  Control  Valve  (FWCV)  is  shut,  two  things  happen  that  initiate 
the  causal  chain  of  events.  First,  since  shutting  the  FWCV  in  BoilerModel  eliminates  the 
sink  for  the  Main  Feed  Pump  (see  Figure  4.3),  pressure  becomes  backed  up  from  the 
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FWCV  to  the  pump.  Second,  no  pressure  and  no  flow  is  propagated  from  the  FWCV 
through  the  Manual  Check  Valve  and  into  the  boiler. 

No  flow  into  the  boiler  with  normal  flow  out  results  in  a  low  steam  drum  water  level. 
Water  level  continues  to  drop  until  it  reaches  LOW_ALARM  (indicating  a  Low  Water 
casualty).  Since  there  is  virtually  no  more  water  in  the  steam  drum  or  water  drum  at  this 
point,  the  generation  tubes  will  rupture  (because  they  have  no  cooling  medium).  Steam 
drum  pressure  drops  as  a  result  of  the  tube  rupture,  and  this  reduced  steam  drum  pressure 
(first  LOW  and  then  NONE),  is  propagated  through  all  the  steam  piping  systems.  The 
periscope  becomes  fogged  from  the  escaping  steam  in  the  furnace. 

The  volume  of  steam  through  the  superheater  and  desuperheater  drops  to  zero,  and 
this  change  in  flow  is  also  propagated  through  the  steam  systems.  Boiler  fires  are  still  lit 
and  the  superheater  has  no  steam  flowing  through  it.  Like  the  generating  tubes,  it  requires 
this  flow  to  carry  heat  away.  Without  the  flow,  the  superheater  also  ruptures. 

The  chain  of  events  which  occurred  when  the  Feedwater  Control  Valve  was  shut 
accurately  reflects  what  could  happen  in  a  real-world  boiler  if  the  same  valve  were  shut  and 
not  immediate  or  controlling  actions  were  taken. 


61 


VI.  CONCLUSIONS 


Model-based  reasoning  is  an  effective  and  efficient  method  for  implementing  steam 
plant  engineering  training.  BoilerModel  accurately  represents  physical  components  and 
executes  concurrent  real-world  activities.  It  provides  a  usable  output  that  shows  how 
values  are  propagated  through  various  systems.  Answers  to  the  questions  posed  in  the 
thesis  introduction  will  be  examined  in  this  chapter,  along  with  other  observations^ 
problems  encountered,  and  recommendations  for  future  work  in  this  area. 

A.  QUESTIONS  ANSWERED 

1.  Boiler  and  Steam  Plant  Modeling 

Expert  systems  can  be  developed  to  efficiently  and  effectively  model  a 
propulsion  boiler  system.  Rule-based  systems  could  conceivably  be  built  to  correctly 
diagnose  all  casualty  situations,  but  they  have  several  shtntcomings.  Inrst,  they  cannot 
reason  beyond  the  limits  of  their  rule  bases.  They  are,  therefore,  limited  by  the  knowledge 
of  subject  matter  experts.  Second,  the  number  of  rules  required  ftv  such  a  system  would  be 
enormous  because  a  great  deal  of  them  would  be  required  to  verify  sensor  accuracy. 
Moreover,  the  large  number  of  rules  would  slow  the  expert  system  down  (possibly  u>  the 
point  of  uselesNiess).  Third,  modifications  to  the  system  (including  expansion  into  a  steam 
plant-wide  domain)  could  require  substantial  alterations  to  the  rule  base.  Such  changes 
might  result  in  redundant  or  contradictory  rules. 

BoilerModel  is  a  streamlined  expert  system  that  does  not  rely  on  a  bank  of  rules 
to  determine  plant  status.  Instead,  it  uses  cause-effect  relations  and  ionhooaqwnent 
behavi(»al  rules  to  prc^gate  values  to  their  logical  conclusions.  Since  BoilerModel  places 
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all  emphasis  on  components  and  propagation  along  component  connections,  modification 
is  simply  a  matter  of  modeling  new  devices  and  connecting  them  into  the  existing  system. 
Therefore,  expanding  BoilerModel  into  a  larger  steam  plant  model  is  only  as  difficult  as 
modeling  the  additional  components. 

2.  Qualitative  Modeling 

Designing  BoilerModel  in  the  qualitative  paradigm  posed  no  problems.  In  fact, 
it  may  have  been  easier  than  doing  so  using  actual  FF  1052/1078  plant  parameters  because 
inexact  state  descriptions  (HIGH,  NORM,  etc.)  require  no  complicated  mathematical 
fonnulae.  Moreover,  qualitative  modeling  of  this  project  carries  two  advantages  over 
mathematical  or  numerical  modeling.  First,  BoilerModel  can  be  used  effectively  as  is  by 
engineering  personnel  assigned  to  ships  with  different  types  of  propulsion  boilers  and 
different  plant  configurations.  The  general  sequence  of  events  that  occurs  when  the 
feedwater  inlet  to  the  boiler  is  shut  is  the  same  for  all  steam  propulsion  plants;  only  the 
parameters  vaiy.  Additionally,  because  of  the  component-oriented  nature  of  model-based 
systems  in  general  and  the  modularity  of  BoilerModel  in  particular,  the  code  can  be 
manipulated  to  add  and  remove  components  or  to  rearrange  valves  and  piping 
configurations  with  very  little  difficulty.  So,  although  BoilerModel  is  based  on  a  frigate’s 
steam  generation  system,  it  can  be  modified  to  match  any  otha*  steam  platform. 

The  second  advantage  a  qualitative  boiler  model  has  over  a  mathematical  one 
is  that  the  real-world  users  of  die  model  are  plant  operators,  not  mechanical  engineo^. 
Although  both  officer  and  enlisted  watchstanders  must  know  some  plant-specific 
parameters,  no  one  is  required  to  know  all  of  them.  One  reason  is  that  there  are  many 
measurable  parameters.  Instead  of  requiring  an  operator  to  remember  them  all  (and 
possibly  forget  some),  engineering  guidelines  dictate  the  use  of  markers  (such  as  red  tape) 
on  measuring  devices  (gauges  and  thermometers)  to  indicate  the  maximum  acceptable  high 
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or  low  values.  A  watchstander  can  then  scan  his  or  her  gauge  board  and  observe  the 
relationship  of  the  actual  value  to  the  max  (or  min)  for  that  sensor.  In  other  words,  the 
watchstander  makes  qualitative  observations;  values  are  low,  high,  or  normal  with  re^ct 
to  the  delimiting  marker. 

3.  Modeling  in  Ada 

Ada  proved  to  be  a  versatile  modeling  tool.  It  provided  fairly  tight  and  very 
fast  code.  It  can  be  used  procedurally  or  functionally,  and  is  very  portable.  Lisp  code,  on 
the  other  hand,  ran  considerably  slower  titan  Ada  code  in  the  case-based  comparison. 
Moreover,  the  Lisp  code  proved  more  difficult  to  troubleshoot  because  it  produced  run¬ 
time  errors  which,  while  traceable  (using  the  Lisp  “trace”  function),  were  not  nearly  as  easy 
to  locate  and  correct  as  compile-time  eiTOTS  in  Ada. 

Lisp  is  one  of  the  dominant  expert  system  modeling  languages.  Should  it 
remain  so?  To  answer  yes,  a  Lisp  proponent  must  provide  clear  advantages  for  that 
language  over  other  contenders.  This  thesis  proposes  Ada  as  a  language  for  use  in  the  full 
development  of  artificial  intelligence  applications,  from  prototype  to  finished  product  The 
only  thing  Ada  lacks  is  true  inheritance  in  object-oriented  prograixuning.  That  is  only 
temporary;  at  least  one  preprocessor,  Classic-Ada,  allows  full  use  of  object-miented 
techniques.  When  tools  such  as  this  one  are  widely  available  and  become  a  de  facto  part  of 
the  DoD  standard,  then  Ada  will  truly  be  an  all-purpose  language. 

4.  Affordability 

Since  BoilerModel  was  developed  in  Ada,  affordability  for  shipboard  use  is 
based  on  three  considerations.  First,  the  initial  purchase  of  an  Ada  compiler  for  the  PC  or 
Macintosh  that  can  handle  the  large,  numerous  global  variables  inherent  in  the  model. 
Since  Ada  is  so  portable,  very  little  tiKxlification  to  existing  code  would  be  required  for  a 
changeover  from  UNIX  to  MS/PC-DOS  or  the  Macintosh  operating  system.  Second,  ships 
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must  be  equipped  with  the  hardware  necessary  to  run  the  executable  version  of 
BoilerModel.  Specifically,  PC’s  or  Mac’s  (preferably  laptop  versions)  need  to  be 
accessible  to  engineering  personnel.  Third,  if  this  model  is  to  grow  any  larger  than  it  is, 
someone  needs  to  make  it  happen. 

The  first  two  considerations  involve  minimal  costs  that  can  easily  be  reconciled 
in  any  budget  The  third  consideration  may  involve  man-hours  (years)  diverted  toward 
project  development,  although  some  costs  can  be  defrayed  by  using  available  research 
institutions  (such  as  the  Naval  Postgraduate  School). 

B.  OTHER  OBSERVATIONS  AND  PROBLEMS 

Observations  were  made  and  problems  encountered  during  the  design  and 
development  of  BoilerModel  that  were  not  directly  tied  to  the  thesis  questions.  They  will 
be  discussed  in  this  section. 

1.  Compiler  Problems 

As  detailed  in  an  earlier  chapter,  BoilerModel’s  complement  of  global 
variables  prevented  the  use  of  Meridian’s  standard  sized  Ada  compiler  fen:  the  PC.  This 
proved  to  be  only  a  temporary  snag;  Ada’s  pcmability  resulted  in  trouble  free  transfer  to  the 
Verdix  Ada  compiler  on  the  Suns  (although  the  user-friendly  Meridian  editing  environment 
was  sorely  missed). 

2.  Incomplete  Model 

The  boiler  is  probably  the  single  most  complicated  component  to  model  in  the 
steam  plant  There  are  several  valves  and  subsystems  that  exist  in  real-world  boiler  systems 
but  have  not  been  built  into  BoilerModel.  The  reason  for  this  lies  with  the  goal  to  get  a 
working  model  in  Ada  completed  flrst  The  supporting  boiler  systems  (most  notably  the 
Automatic  Boiler  Control  systems)  can  be  added  later.  To  its  credit,  BoilerModel  provides 
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a  detailed  representation  of  a  propulsion  boiler  that  accurately  propagates  value  changes  to 
their  logical  conclusions. 

3.  Naval  Reserve  Training 

Roughly  twelve  FF-10S2  class  frigates  are  scheduled  for  reclassification  as 
“FT,”  or  Frigate  Trainers.  Their  function  will  be  to  train  Naval  Reservists  on  their  weekend 
drills  in  a  non-adversarial  environment.  Since  the  typical  resovist  is  not  exposed  to  more 
than  roughly  sixteen  hours  of  shipboard  duties  per  month,  a  portable,  computerized  trainer 
could  maximize  casualty  control  training  while  minimizing  well-intentioned  “mistakes” 
typical  of  undertrained  deckplate  sailors. 

4.  OPPE/LOE 

All  ships  must  undergo  two  periodic  engineering  inspections:  the  Operational 
Propulsion  Plant  Examination  (OPPE)  and  the  Light-Off  Examination  (LOE).  Normally, 
sufficient  underway  time  is  allotted  for  OPPE  preparation;  however,  since  part  of  the  exam 
is  materiel  readiness,  a  substantial  amount  of  work  at  a  repair  facility  is  also  required. 
Light-Off  Exams  are  required  after  extensive  yard  periods,  during  which  the  ship  cannot 
get  underway  to  conduct  realistic  training.  A  shipboard  training  complement  like 
BoilerModel  could  constructively  use  the  inport  time  to  prepare  watchstanders  for  these 
inspections. 

5.  Other  Propulsion  Plants 

Steam  ships  are  fast  becoming  an  anomaly.  With  the  decommissioning  of  the 
Knox  class  frigates,  the  Adams  and  Farragut/Coontz  class  guided  missile  destroyers,  and 
the  battleships,  the  only  steam  driven  platforms  left  will  be  auxiliaries,  cruisers,  some 
anqihibious  ships,  and  a  handful  of  aircraft  carriers.  However,  the  concepts  of  model-based 
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design  en[q)loyed  in  BoilerModel  transcend  propulsion  type  and  can  therefore  by  applied  to 
both  gas  turbine  and  diesel  plants. 

C.  FUTURE  WORK 

Future  work  in  BoilerModel  can  extend  in  several  (non-mutually  exclusive) 
directions.  First,  the  boiler  itself  should  be  modeled  in  greater  detail,  incorporating 
subsystems  (ABC,  ACC,  etc.)  not  included  in  this  implementation.  This  would  provide 
greater  reliability  as  a  diagnostic  tool  and  greater  accuracy  as  a  training  system. 

A  natural  follow-on  to  the  first  suggestion  would  be  to  expand  the  scope  of 
BoilerModel  to  cover  the  entire  engineering  plant.  The  groundwork  for  value  propagation 
through  valves  and  piping  systems  has  already  been  laid,  and  the  most  complex  component 
(the  boiler)  has  already  been  modeled.  Pumps  can  be  noodeled  as  classes  in  an  object- 
oriented  approach.  This  would  be  very  useful  because,  although  all  pumps  share  certain 
characteristics,  different  types  (centrifugal,  positive  displacement,  jet)  move  fluids 
diffnently  and  therefore  have  varying  intra-component  relationships. 

A  third  suggestion  for  future  research  is  to  incorporate  BoilerModel  into  sonoe  sort  of 
training  or  diagnostic  system  usable  in  the  fleet  (hopefully  while  there  are  still  steam  plants 
to  operate).  Since  BoilerModel  relies  on  model-based  reasoning  principles,  little  time  need 
be  spent  interviewing  experts  regarding  boiler  operations.  En^gies  can  be  devoted  to 
developing  an  effective  student  model  and  a  useful  student  interface. 

A  final  suggestion  for  future  work  would  be  to  incorporate  BoilerModel  (and  any 
improvements  to  it)  into  the  Argos  paperless  ship  project  as  a  stand-alone  training  module. 
The  focus  for  this  woiic  could  be  a  graphics  and  sound  replacement  for  the  textual  user 
interface  presently  inqrlemented.  Boiler  operation  would  then  be  realistically  nxxleled  and 
realistically  presented.  As  a  side  effect,  a  sharp  video  presentation  would  probably  enhance 
the  appeal  of  the  model  to  potential  users. 
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APPENDIX  A  (BoilerModel  CODE) 


with  SYSTEM; 
use  SYSTEM; 

package  VALVES_AND_PIPING  is 

type  INDEX  is  (VSH,  MSS,  ASS.  DESUP.IN,  SH_PROT_IN. 

SAFETIES>UR_REG,SHinTERS,FUEL  MAN.FOCV, 

FO  RECIRC.FOSP  DISCH,  FEED_STOP.  FWCV, 

MAN  C3IK.  BLEED.  AUG.  FDB_IN.ONE_FIFrY  IN, 

PMAC  IN.ER  BLKHD  STOP.  AMR  BLKHD  STOP. 
MFP_STM_SUP); 

type  MEASUREMENT  VALUE  is  (NONE.  LOW_ALARM.  LOW,  NORM. 

HIGH.  LIFT  SAFE  HI.  HIGH.ALARM,  FUEL  ON_DECK, 
NO  FUEL  ON  DECK.  ORANGE,  BLACK,  CLEAR, 
FOGGED,  FAN  SHAPED.  IRREGULAR,  OPEN,  SHUT); 

type  VALVE; 

^pe  VALVE_PTR  is  access  VALVE; 

type  VALVE_PTR_ARRAY  is  aiiay  (L.10)  trf  VALVE.PTR; 

type  S  YSTEM_ARRAY  is  anay  (POSITIVE  range  o)  of  VALVE_PTR; 

TRACE:  BOOLEAN:^  FALSE; 

type  S  YSTEM_ARRAY_PTR  is  access  SYSTEM_ARRAY; 

STEAM  SYSTEM:  SYSTEM.ARRAY  PTR:»iiewSYSTEM_ARRAY(1..14); 
AIR  SYSTEM:  SYSTEM  ARRAY  FTR:=  new  SYSTEM  ARRAY(L.2); 
FUEL_SYSTEM:  SYSTEM.ARRAY  PTR:-  new  SYSTEM_ARRAY(L.4); 
FEED_SYSTEM:  SYSTEM_ARRAY_PTR;«  new  SYSTEM_ARRAY(L3); 

type  VALVE  is 
lecoid 

VALVE  ID:  INDEX; 

UPSTREAM:  VALVE  PTR  ARRAY; 

DOWNSTREAM:  VALVE  PTR  ARRAY; 

COUNTED:  BOOLEAN:.  FALSE; 

NEXT:  VALVE  PTR; 

PREV_STATUS:  MEASUREMENT.VALUEsr  OPEN; 

STATUS:  MEASUREMENT_VALUE:«  OPEN; 
PREV_INPUT_PRESS:  MEASUREMENT  VALUE:.  NORM; 
INPUT.PRESSURE:  MEASUREMENT.VALUE."-  NORM; 
PREV^INPUT_FLOW:  MEASUREMENT  VALUE:.  NORM; 
PREV_OUTPUT_FLOW:  MEASUREMENT  VALUE:.  NORM; 
INPUT  FLOW:  MEASUREMENT.VALUE:.  NORM; 
OUTPUT.PRESSURE:  MEASUREMENT  VALUE:.  NORM; 
PREV.OUTPUT_PRESS:  MEASUREMENT  VALUE:.  NCHIM; 
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OUTPUT.FLOW:  MEASUREMENT  VALUE;=NORM; 
SYSTEM:  SYSTEM_ARRAY_PTR; 
endreonrd: 

VIRTUAL  SH  OUTLET:  VALVE  PTR:=  new  VALVE; 
MAIN_STEAM_STOP:  VALVE.PTR:*  new  VALVE; 

AUX_STEAM  STOP:  VALVE_PTR:«  new  VALVE; 
DESUPERHEATER  INLET:  VALVE  PTR;=  new  VALVE; 
SUPERHEATER.PROTECnON  INLET:  VALVE  PTR:=  new  VALVE; 
SAFETY.V ALVES:  VALVE.PTR:*  new  VALVE; 

AIR_REGISTERS:  VALVE.PTR:-  new  VALVE; 

AIR  SHUTTERS:  VALVE  PTR;=:  new  VALVE; 

FUEL  MANIFOLD;  VALVE_PTR:»  new  VALVE; 

FUEL  OIL  CONTROL.VALVE:  VALVE  PTR;=  new  VALVE; 

FUEL  RECIRC:  VALVE  PTR:«  new  VALVE; 

PO.SVC  PUMP  DISCH:  VALVE  PTR:=  new  VALVE; 

FEED  STCM»  VALVE;  VALVE_PTR:«  new  VALVE; 

FEEDWATER  CONTROL;  VALVE_PTR:*  new  VALVE; 

MANUAL  CHECK  VLV:  VALVE  PTR:«  new  VALVE; 

BLEEDER:  VALVE  PTR:*  new  VALVE; 

AUGMENTOR:  VALVE  PTR:*  new  VALVE; 

FDB_INLET:  VALVE.PTR;*  new  VALVE; 

ONE_FIFTY_INLET:  VALVE_PTR:«  new  VALVE; 

PMAC  INLET;  VALVE  PTO:»  new  VALVE; 

ER_BULKHEAD_STOP:  VALVE  PTR:»  new  VALVE; 
AMR.BULKHEAD  STOP.  VALVE  PTR:«  new  VALVE; 
MFP_STM_SUPPLY:  VALVE.PTR;*  new  VALVE; 

procedure  FILL_SYSTEM  ARRAYS; 
procedure  ASSIGN_VALVE_ORDER; 

procedure  SHOW.VALVE.STATUS  (AFFECTED:  in  out  VALVE_PTR); 
procedure  tNITTALOSE  PLANT; 

procedure  CHECK_FOR_FLOW  (VALVE  IN:  in  out  VALVE  PTR; 

FLOW:  in  out  BOOLEAN); 

procedure  OVER.PRESSURE  (AFFECTED:  in  out  VALVE_PTR); 
task  FRCH^AGATE  is 
pragma  PRIORITY(l); 
endFR(X>AGATE; 

end  VALVES_AND_PIPING; 
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with  TEXTJO; 
uscTEXTJO; 

package  body  VALVES.AND.PIPING  is 

package  INDEX  10  is  new  ENUMERATIONJO  (INDEX); 
useINDEXJO; 

package  MEASUREMENTJO  is  new  ENUMERATIONJO 
(MEASUREMENT  VALUE): 
use  MEASUREMENTJO; 


~  Procedure  FILL_SYSTEM_ARRAYS  fills  steam,  fuel,  air 
~  and  feed  system  anays  with  the  valves  in  those  systems 


procedure  FILL_SYSTEM_ARRAYS  is 
begin 

STEAM  SYS7EM(1):-  VIRTUAL  SH  OUILET; 

STEAM  SYSTEM(2):«MAIN  STEAM.STOP; 
STEAM_SYSTEM(3):-  AUX_STEAM_STOP; 

STEAM  SYS1EM(4):«DESUPERHEATER_INLET; 
STEAM_SYSTEM(5):»  SUPERHEATER  PROTECTION.INLET; 
STEAM  SYSTEM(6);«  SAFETY  VALVES; 
STEAM.SYSTEM(7):«  BLEEDER; 

STEAM_SYSTEM(8):«  AUGMENTOR; 

STEAM^SYSTEM(9):«  FDB.INIET; 

STEAM_SYSTEM(10):«  ONE_FIFTY.INLET; 
STEAM_SYSTEM(11):»  PMAC_INLEr; 

STEAM,SYSTEM(12):»  ER_BULKHEAD_STOP; 
STEAM_SYSTEM(13):«  AMR^BULKHEAD_STOP; 
STEAM_SYSTEM(14):-  MFP_STM_SUPPLY; 

AIR_SYSTEM(1):»  AIR.SHUTTERS; 

AIR^SYSTEM(2):-  AIR_REGISTERS; 

FUEL  SYSTEM(1):«P0_SVC  PUMP  DISCH; 
FUEL_SYSTEM(2):«  FUEL_OIL_CONTRCM,_VALVE; 
FUEL_SYSTEM(3):-  FUEL.RECIRC; 

FUEL_SYSTEM(4):-  FUEL.MANIPOLD; 

FEED_SYSTEM(1);»FEED  STOP  VALVE; 
FEED_SYSTEM(2):>  FEEDWATER  CX>N1E0L; 

FEED  SYSTEM(3):«  MANUAL  CHECK  VLV; 
end  FILL  SYSTEM  ARRAYS; 
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"  Plocedure  ASSIGN_VALVE_ORDER  fill  the  upstream  and 
~  downstream  arrays  of  each  valve  with  those  valves  which 
"  are  immediately  upstream  and  downstream 
--  (respectively) 


procedure  ASSIGN_VALVE_ORDER  is 
begin 

VIRTUAL  SH  OUTLETJ)OWNSTREAM(l):=  MAIN_STEAM_STOP; 
VIRTUAL  SH  OUTLET JX)WNSTREAM(2):=  DESUPERHEATER  INLET; 
MAIN  STiAM  STC»*.UPSTREAM(l):«VIRTUAL_SH_OUTLET; 

MAIN  STEAM  ST(M»JX)WNSTREAM(l):=ER_BULKHEAD_STOP; 
MAIN_STEAM  STOPJX)WNSTREAM(2}:s  AMR  BULKHEAD.STOP, 

MAIN  STEAM  STOPJ)OWNSTREAM(3):=  MFP_STM_SUPPLY; 
DESUPERHEATER  INLET.UPSTREAM(1):=  VIRTUAL_SH_OUTLET; 
DESUPERHEATER  IN1£TJX)WNSTREAM(1):«  AUX_STEAM_STOP; 
E^UPERHEATER  INLET JX)WNSTREAM(2):«  BLEEDER; 

AUX  STEAM  STCM».UPSTREAM(1):»DESUPERHEATER_INLET; 

AUX  STEAM_STOP.DOWNSTREAM(l):»AUGMENTOR; 

AUX  STEAM  STOP.DOWNSTREAM(2):»  FDB.INLET; 

AUX  STEAM  STXM».DOWNSTREAM(3):»ONE_FIFTY_INLET; 

AUX  STEAM  STOP.DOWNSTREAM(5):»PMAC  INLET; 

AIR  REGIST^.UPSTREAM(1):«AIR  SHUTTERS; 

AIR  SHUTTERS.DOWNSTREAM(l):s  AIR  REGISTERS; 
FUEL_MANIP0LD.UPSTREAM(1):»  FUEL_OIL_CX)NTROL_VALVE; 
FUEL_OIL_CX>NTROL_VALVEUPSTREAM{l);«PO_SVC_PUMP_DISCH; 
FUEL.OILJCONTROL  VALVE.DOWNSTREAM(l):«FUEL_MANIFOLD; 
FUEL_OIL_CONTROL_VALVEJX)WNSTREAM(2);-  FUEL_RECIRC; 

FUEL  RECIRC.UPSTREAM(l);-FUEL_OIL_CONTROL  VALVE; 
FUEL_REaRC.UPS'IREAM(2):«FUEL  MANIFOLD; 
PO_SVC_PUMP_DISCH.DOWNSTREAM(l):=FUEL_OIL_CONTROL_VALVE; 
FEED_STOP_VALVE.DOWNSTREAM(l):»  FEEDWATER.CONTROL; 
FEEDWA1ER_CX)NTR0L.UPSTREAM(1):»FEED_ST0P  VALVE; 
FEEDWATER  CONTROL.DOWNSTREAM(1):b  MANUAL  CHECK  VLV; 
MANUAL_CHECK_VLV.UPSTREAM(1):»  FEEDWATER.CONTROL; 
BLEEDER.UPSTREAM(I);- DESUPERHEATER  INLET; 
AUGMENTOR.UPSTREAM(I):sAUX  STEAM.STOP; 
FDB_INLET.UPSTREAM(1):»AUX  STEAM.STOP; 

ONE  FIFTY  INLET.UPSTREAM(1):»AUX  STEAM  STOP; 
PMAC_INLET.UPSTREAM(1):«AUX  STEAM.STOP; 

ER  BULKHEAD  STOP.UPSTREAMd):- MAIN  STEAM  STOP; 
AMR.BULKHEAD.STOP.UPSTREAM(l):*  MAIN  STEAM  STOP. 
MFP.STM.SUPPLY.UPSTREAM(1):«  MAIN.STEAM.STOP; 

end  ASSIGN.VALVE.ORDER; 
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~  procet^  SHOW_VALVE_STATUS  (xovides  a  trace  to  the  user 
-  (if  desired)  to  show  the  effects  (rf  pn^>agation  after  a  system  change 
••  is  made  ~ 


procedure  SHOW_VALVE_STATUS  (AFFECTCD:  in  out  VALVE_FrR)  is 


ROW_COUNT;  NATURAL:*  1; 
begin 

NEWJJNE; 

PUTC^ALVE"); 

SET_CX)L(17); 

PUTC^ATUS"): 

SET_CX)L(24); 

PUTC1NPUT  PRESS"); 

SET.COL(40); 

PUTCTNPUTFLOW"); 

SET_COL(52); 

Pt)T(WITUT  PRESS”); 

SET_COL(67); 

PUT_LINE(^UTPUT  FLOW^; 

purr - "); 

SET_COL(17); 

purr - "); 

SET_CX)L(24); 

purr - "); 

SET_CX)L(40); 

Purr - "); 

SET_CX)L(52); 

purr - "): 

SET_COL(67); 

purr - "); 

NEW_LINE; 

PUTCAFFECTED. VALVE  ID); 
SET_CX)L(17); 
PUr(AFFECIED.STATOS); 
SET.CXX^); 

PUT(AFFECrED.INPUT_PRESSURE); 

SET_CX)L(40); 

PUT(AFFECTED.INPUr_FLOW); 

SET_COL(52); 

PUTCAFFECTED.OUTPUT.PRESSURE); 

SET_CXX(67); 

PUrCAFFECTED.OUTPUT  FLOW); 

NEW_LINE; 

delay  0.0; 

end  SHOW  VALVE  STATUS; 
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~  Procedure  INmALIZ£_nLANT  sets  the  valves  in  the  plant  to 
~  the  ctxiect  setting  fa*  steady-state  steaming.  It  also  idratifies  each 
~  valve  with  an  ID  (for  printing  or  reference)  and  identifies  the 
~  system  with  which  the  valve  is  associated 


procedure  INITIALIZE.FI^ANT  is 
begin 

VIRTUAL  SH  OUTLET. VALVE.ID:-  VSH; 

VIRTUAL  SH_OUTLETJ4EXT:*  MAIN.STEAM  STOP; 

VIRTUAL  SH  OUTLET.SYSTEM:«  S'reAM.SYS'nEM; 

MAIN  STEAM  STOP.VALVE.ID:- MSS; 

MAIN  STEAM  STOPNEXT:*  AUX_STEAM_STOP. 

MAIN  STEAM  STOP.SYSTEM:»  STEAM.SYSTEM; 

AUX  STEAM  STOP.VALVE_ID:«ASS; 

AUX  STEAM  STCM»J4EXT;=  DESUreRHEATER.INLET; 

AUX  STEAM  STOP.SYSTEM;»  STEAM.SYSTEM; 
leSUPERHEATER  INLET.VALVE  ID:«  DESUP_IN; 

^SUPERHEATER  INLETJ®XT:=SUPERHEATER_PROTECTION_INLET; 
I^UPERHEATER  INl£T5YSTEM:=  STEAM.SYSTEM; 

SUPERHEATER  PROTECTION  INLET, VALVE_ID:«  SH_PROT_IN; 
SUPERHEATER  PROTECTION  INLET^IEXT:*  SAFETY.VALVES; 
SUPERHEATER  PROTECnON_INLETJ>REV_STATUS:=  SHUT; 
SUPERHEATER  PROTECnON_INLET.STATUS:-  SHUT; 

SUPERHEATER  PROTECHON  INLET.SYSTEM:- STEAM.SYSTEM; 
SUPERHEATER  PROTECTION  INLET.OUTPUT  FLOW:«NONE; 
SUPERHEATER_PROTECnON_INLETJREV_Oirmjr„FLOW:*  NONE; 
SUreRHEATER  PROTECTTCW  INLET.OUTPUT  PRESSURE:®  NONE; 
SUPERHEATER  PROTECnON_INLETJ>REV_OUTPin-_PRESS:=NONE; 
SAFETY.VALVES.VALVE^ID:®  SAFETIES; 

SAFETY.V  ALVES  J4EXT:-  AIRJIEGISTERS; 

SAFETY.VALVESJ>REV  STATUS:®  SHUT; 

SAFETY_VALVES,STATUS:®  SHUT; 

SAFETY_VALVES,SYSTEM:®  STEAM  SYSTEM; 
SAFETY_VALVES.OUTPUT JTjOW:-  NONE; 
SAFETY_VALVESFREV_OUTPUT_FLOW:«  NONE; 

SAFETY  VALVES.OUTPUTJ>RESSURE:=NONE; 

SAFETY.VALVESFREV  OUTPUT  PRESS:- NONE; 

AIR  REGISTERS.VALVE  ID:®  AIR  REG; 

AIR  REGISTERS J4EXT:®AIR_SHUTTERS; 

AIR  REGISTERS,SYSTEM:«AIR_SYSTEM; 

AIR  SHUTTERS.VALVE  ID:®  SHUTTERS; 

AIR  SHUTTERS  J4EXT:®  FUEL  MANIFOLD; 

AIR  SHUTTERS.SYSTEM:®  AIR  SYSTEM; 

FU^  MANIFOLD.  VALVE  ID:®FUEL  MAN; 

FUEL  MANIFOLD  J^EXT:®  FUEL  OIL  CONTROL.VALVE; 

FUEL  MANIFOLD.SYSTEM:-FUEL  SYSTEM; 

FUEL  OIL  CONTROL  VALVE.  VALVE  ID:®FOCV; 

FUEL_OIL  CONTROL_VALVEJ<EXT:»FUEL  RECIRC; 

FUEL  OIL  CONTROL_VALVESYSTEM:®FUEL  SYSTEM; 
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FUEL  RECIRC.VALVE_ID:=FO_RECIRC; 

FUEL  RECIRCJ^XT:*  FO_SVC_PUMP_DISCH; 

FUEL  RECIRCJ»REV_STATUS:=SHUT; 

FUEL  RECIRC.STATUS:=  SHUT; 

FUEL  RECIRC.OUTPUT  FLOW:*  NONE; 
FUEL_RECIRCJ31EV_0UTPUT_FL0W;=  NONE; 

FUEL  RECIRC.OinPUT_PRESSURE:=NONE; 

FUEL  RECIRCPREV  OUTPUT_PRESS:=  NONE; 

FUEL  RECIRC.SYSTEM:*  FUEL.SYSTEM; 

FO_SVC  PUMP  DISCH.VALVE_ID:=FOSP_DISCH; 

FO  SVC  PUMP  DISCHJ'flEXT:=FEED_STOP_VALVE; 

FO  SVC  PUMP  DISCH.SYSTEM:*FUEL_SYSTEM; 

FEED  STOP  V^VE. VALVE  ID;*  FEED.STOP, 

FEED  STOP  VALVEJ<EXT:=FEEDWATER_CONTROL; 
FEED  STOP  VALVE.SYSTEM;*  FEED.SYSTEM; 
FEEDWATER  CONTROL,  VALVE.ID:*  FWCV; 

FEEDWATER  CONTROL.NEXT;*  MANUAL_CHECK_VLV; 
FEEDWATER_CONTROL.SYSTEM:=  FEED_SYSTEM; 
MANUAL  CHECK  VLV.VALVE.ID:*  MAN_CHK; 

MANUAL  CHECK.VLV  J^XT:*  BLEEDER; 
MANUAL_CHECK_VLV.SYSTEM:=  FEED.SYSTEM; 
BLEEDER.VALVE  ID:*  BLEED; 

BLEEDER  J^EXT;*  AUGMENTOR; 

BLEEDERPREV  STATUS:*  SHUT; 

BLEEDER.STATUS:-  SHUT; 

BLEEDER.OUTPUT_FLOW:*  NONE; 

BLEEDERPREV  OUTPUT_FLOW:=  NONE; 
BLEEDER.OUTPUT_PRESSURE:*  NONE; 

BLEEDERPREV  OUTPUT_PRESS:»  NONE; 
BLEEDER.SYSTEM:*  STEAM  SYSTEM; 
AUGMENTOR.VALVE.ID;*  AUG; 

AUGMENTORJ4EXT:*  FDB.INLET; 
AUGMENTOR.SYSTEM:*  STEAM.SYSTEM; 
FDB_INLET.VALVE_ID:»  FDB_IN; 

FDB  INLETPIEXT:*ONE_FIFTY  INLET; 

FDB  INLET,SYSTEM:«  STEAM  SYSTEM; 

ONE  FIFTY  INLET.VALVE_ID:*ONE  FIFTY  IN; 

ONE  FIFTY  INLET JffiXT:*  PMAC  INLET* 

CM®  FIFTY  INLEr,SYSTEM:«  STEAM  SYSTEM; 

PMAC  INLET. VALVE  ID:*  PMAC  IN; 

PMAC  INLETPIEXT:«ER_BULKHEAD_STOP; 

PMAC  INLETPREV_STATUS:-SHUT; 

PMAC  INLET.STATUS:-  SHUT; 

PMAC  INLET.OUTPUT_FLOW:»NONE; 

PMAC  INLETPREV_OUTPUT_FLOW:«NONE; 

PMAC  INLET.OUTPUT_PRESSURE:«NONE; 

PMAC  INLET.PREV_OUTPUT  PRESS:*  NONE; 

PMAC  INLET.SYSTEM;-  STEAM  SYSTEM; 

ER  BULKHEAD  STOP.VALVE_ID:»  ER_BLKHD_STOP; 

ER  BULKHEAD  STOP J<EXT:*  AMR  BULKHEAD_STOP. 
ER.BULKHEAD  STOP.SYSTEM:*  STEAM.SYSTEM; 

AMR  BULKHEM)  STOP.VALVE  ID:*  AMR.BLKHD  STOP; 
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AMR  BULKHEAD  ST0PJ4EXT:*  MFP.STM  SUPPLY; 
AMR  BULKHEAD  STOP.SYSTEM:=  STEAM  SYSTEM; 
MFP  STM_SUH»LY.VALVE_ID:=  MFP  STM.SUP; 

MFP  STM  SUPPLY JiEXT:=  VIRTUAL  SH_OUTLET; 
MFP_STM  SUPPLY.SYSTEM:=STEAM_SYSTEM; 
end  INITIALIZE  PLANT; 


-  Procedure  CHECK.FOR JFLOW  ascertains  whether  or  not 
~  there  is  still  a  flow  path  in  a  system  after  a  valve’s  status  has 

-  been  changed 


procedure  CHECK_FOR_FLOW(VALVE_IN:  in  out  VALVE.PTR; 

FLOW:  in  out  BOOLEAN)  is 

COUNT.  COUNT2:  NATURAL:=  1; 

begin 

VALVE_IN.COUNTED:=  TRUE; 

if  VALVE  IN.STATUS  =  OPEN  and  VALVE_IN.DOWNSTREAM(l)  =  null  then 
FLOW:=TRUE; 

if  VALVE_IN.STATUS  *  OPEN  then 
while  VALVE_IN.DOWNSTREAM(COUND  h  null  loop 
if  VALVE  IN.DOWNSTREAM(COUNT).COUNTED  =  FALSE  then 
CHECK_FOR_FLOW(VALVE_IN.DOWNSTREAM(COUNT)JT.OW); 
end  if; 

COUNT:=  COUNT  + 1; 
end  loop; 
end  if; 

if  FLOW -FALSE  then 

whUe  VALVE_IN.UPSTREAM(COUNT2)  /=  null  loop 
CHECK_POR_FLOW(VALVE  IN.UPSTREAM(COUNT2).  FLOW); 
COUNTS-  COUNT2  + 1; 
end  loop; 
end  if; 
end  if; 

end  CHECK_FOR_FLOW; 


~  Procedure  OVER.PRESSURE  will  create  an  overpressurization 
"  in  a  system  which  is  supplied  pressure  but  which  has  no  flow 


procedure  OVER_PRESSURE(AFFECTED:  in  out  VALVE_PTR)  is 
COUNT:  NATURAL:-  1; 
begin 

if  AFFECTED.INPUT_PRESSURE  <  HIGH  and  AFFECTED.  VALVE  ID  /=  SAFETIES  then 
AFFECTEDJNPUT  PRESSURE:-  HIGH; 
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whik  AFFECTED.lJPSTR£AM(COUNT)  /s  null  loop 
AFFECIED.UPSTREAM(CX)UNT).OUTPlJT  PRESSURE:*  fflGH; 
if  AFFECTED.UPSTREAM(COUND.STATUS  «  OPEN  then 
OVER_PRESSURE(AFFECTED.UPSTREAM(COUNT)); 
end  if; 

COUNT:*  COUNT +1; 

Old  loop; 

if  TRACE  *  TRUE  that 
SHOW_VALVE_STATUS(AFFECTED); 
end  if; 

AFFECTEDJ»REV_INPUT_PRESS:*  AFFECIED.INPUT_PRESSURE; 
end  if; 

end  OVER_PRESSURE; 


~  Procedure  PROPAGATE_VALVE_VALUES  propagates 

-  new  system  values  through  the  upstream/downstieam  lattice 
~  when  a  valve’s  status  has  been  changed.  It  calls 

-  CHECK_FOR_FLOW  and  OVER.PRESSURE  (as  needed) 


procedure  PROPAGATE_VALVE_VALUES  (AFFECTED:  in  out  VALVE.PTR)  is 

COUNT:  NATURAL:*  1; 

FLOW:  BOOLEAN:*  FALSE; 

begin 

if  AFFECTED.STATUS  »  OPEN  then 
AFFECTED.OUTPUT.PRESSURE:*  AFFECTEDJNPUT  PRESSURE; 
AFFECTED.OUTPUT^FLOW;*  AFFECTEDJNPUT.FLOW; 
if  TRACE*  TRUE  then 
SHOW_VALVE_STATUS(AFFECTED); 
end  if; 
else 

AFFECTED,OUT?UT_FLOW:*  NC»^ 

AFFECTED.OUTPUT_PRESSURE:-  NONE; 
if  TRACE  «  TRUE  then 
SHOW_VALVE_STATUS(AFFECTED); 
end  if; 

CHECK_POR_FLOW(AFFECrED.  FLOW); 
if  FLOW*  FALSE  then 
OVER_PRESSURE(AFFECTED); 
end  if; 

for  i  in  l.w^FFECTED.SYSTEM’LENGTH  kx^ 
AFFECTED.SYSTEMCi).COUNTED:*  FALSE; 
end  loop; 
end  if; 

AFFECTEDJ»REV_STATUS:«  AFFECTED  STATUS; 
AFFECTEDJREV_INPUT_PRESS:*  AFFECTEDJNPUT  PRESSURE; 
AFFECTEDJREV.INPUT  FLOW:*  AFFECTED.INPUT  FLOW; 
while  AFFECTED  JX)WNSTREAM(COUND  h  nuU  loop" 
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AFFECTEDJX)WNSTREAM(COUNT).INPUT  FLOW:=  AFFECTED.OUTPUT  FLOW; 
AFFECTED.DOWNSTREAM(COlJNT).INPUT  PRESSURE:* 
AFFECTED.OUTPUT.PRESSURE; 

COUNT:*  COUNT  + 1; 
end  loop; 

end  PROPAGATE_VALVE_VALUES; 


~  Task  PROPAGATE  continuously  monitors  all  valves  in  the 
--  system  and  calls  PROPAGATE_VALVE_VALUES  whenever 
~  input  pressure,  input  flow,  or  output  flow  changes,  or  when 
--  a  valve’s  status  is  changed 


task  body  mOPAGATE  is 

CURRENT:  VALVE.PTR:*  VIRTUAL_SH_OUTLET; 
begin 
delay  1.0; 
loop 

if  CURRENT.STATUS  /=  CURRENTPRE  V.STATUS  or 
CURRENT.INPUT  HIESSURE  M  CURRENTPREV  INPUT  PRESS  ot 
CURRENT.INPUT  FLOW  h  CURRENTPREV_INPUT_FLOW  then 
PROPAGATE_VALVE_VALUES(CURRENT); 
end  if; 

CURRENT:*  CURRENTJ^T; 
delay  0.01; 
endkx^: 

end  PROPAGATE; 

end  VALVES_AND_PIPING; 


with  VALVES  AND_PIPING.  SYSTEM; 
use  VALVES_AND_PIPING.  SYSTEM; 
pi»rV5igft  BOIL£R_MODEL  is 

type  DRUM  is 
lecoid 

WATER  LEVEL:  MEASUREMENT.VALUE; 
KIESSURE:  MEASUREMENT.VALUE; 

FLOW_IN:  MEASUREMENT.VALUE; 

FLOW  OUT:  MEASUREMENT_VALUE; 

TEMP:  MEASUREMENT.VALUE; 

PREV  WATER  LEVEL:  MEASUREMENT_VALUE; 
PREV  PRESSUM:  MEASUREMENT.VALUE; 

PREV  FLOW  IN:  MEASUREMENT_VALUE; 

PREV  FLOW  OUT:  MEASUREMENT.VALUE; 
PREV_TEMP:  MEASUREMENT_VALUE; 
end  record; 

type  TUBE  is 
record 

FLOW  IN:  MEASUREMENT.VALUE; 

FLOW  OUT:  MEASUREMENT_VALUE; 

RUPriWE:  BOOLEAN:*  FALSE; 

TEMP:  MEASUREMENT.VALUE; 

PREV  FLOW  IN:  MEASUREMENT_VALUE; 

PREV  FLOW.OUT:  MEASUREMENT  VALUE; 

PREV  RUPTURE:  BOOLEAN:*  FALSE; 

PREV  TEMP:  MEASUREMENT.VALUE; 
DIRECT_HEAT_CONTACT:  BOOLEAN; 
end  record; 

type  BOILER.FURNACE  is 
record 

DECK  STATUS:  MEASUREMENT  VALUE; 
FIRING_RATE:  MEASUREMENT_VALUE; 
EXPLOSION:  BOOLEAN:*  FALSE; 

PERISCOPE-  MEASUREMENT.VALUE; 

FIRES  LIT:  BOOLEAN:*  FALSE 

FIRE  APPEARANCE  MEASUREMENT.VALUE; 

PREV  DECK.STATUS:  MEASUREMENT.VALUE; 
PREVJTRING.RATE:  MEASUREMENT.VALUE 
PREV_EXPLOSION:  BOOLEAN:*  FALSE; 
PREV_PERISCOPE:  MEASUREMENT  VALUE; 
PREVJTRES.UT:  BOOLEAN:*  FALSE; 
PREV_FIRE_APPEARANCE:  MEASUREMENT.VALUE; 
end  record; 
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type  BOILER  is 
recofd 

STEAM  DRUM:  DRUM; 

WATER  DRUM:  DRUM; 

SUPERHEATER:  TUBE; 

ISSUPERHEATER:  TUBE; 

GENERATION  TUBES:  TUBE; 

FURNACE:  BOILER_FURNACE; 
endiecwd; 

ALPHA_BOILER:  BOILER; 

procedure  INrnALI2£_B0ILER  (BLR:  in  out  BOILER); 
procedure  INCREMENTAL  DECREASE  (BLR:  in  out  BOILER); 
task  FIRES  MANAGER  is 
pragma  PRIORnY(I); 
end  FIRES  MANAGER; 
task  STEAM.DRUM.MANAGER  is 
pragma  PRIORITY(l); 
end  STEAM  DRUM  MANAGER; 
task  TUBE.MANAGER  is 
pragma  PRIORITY(l); 
end  TUBE.MANAGER; 

function  GREATER_OF(X.Y:  in  MEASUREMENT  VALUE)  return  MEASUREMENT  VALUE; 
function  LESSER.OF  (X.  Y:  in  MEASUREMENT.VALUE)  return  ME ASUREMENT.VALUE; 
procedure  RUPTURED.TUBE  CHECK  (BLR:  in  out  BOILER:  X:  in  out  TUBE); 
procedure  DISPLAY.BOE^R  STATUS  (BLR:  in  out  BOILER); 
procedure  RESET.BOILER.PREVIOUS.VALUES  (BLR:  in  out  BOILER); 

end  BOILER.MODEL; 
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with  TEXTJO,  VALVES  AND.PIPING.  SYSTEM; 
use  TEXTJO,  VALVES_AND_PIPING.  SYSTEM; 
package  body  BOILER.MODEL  is 

package  TOUTH  is  new  ENUMERATION JO(BOOLEAN); 
use  TRUTH; 

package  MEASURE  is  new  ENUMERATION JO(MEASUREMENT_VALUE); 
use  MEASURE; 


~  Task  STEAM_DRUM_MANAGER  takes  the  water  flow  into  the 
~  boiler,  conqwes  it  with  steam  flow  out  of  the  boiler  and  generates 

-  highAow  water  level  alarm  conditions  based  on  that  comparison.  Italso 

-  lito  safeties  if  there  is  no  flow  out  of  the  boiler.  STEAM_DRUM_MANAGER 

-  also  calls  pfxx:edure  INCREMENTAL.DECREASE  if  safeties  are  (q)en. 


task  body  STEAM_DRUM_MANAGER  is 

begin 
delay  1.0; 
loop 

ALPHA_BOILER.STEAM_DRUMJLOW  IN:=  MANUAL  CHECK  VLV.OUTPUT  FLOW; 
if  ALPHA.BOILER^TEAM  DRUMELOW  IN  =  NORM  ^ 

ALPHA_BOILER.STEAM  DRUMJPLOW  OUT  «  NORM  then 
ALPHA_BOILER.STEAM_DRUM.WATER_LEVEL;=  NORM; 
elsifALPHA_BOILER.STEAM_DRUMELOW  IN> 
VIRTUAL.SH_OUTLET.OUTPUT_FLOW  then 
ALPHA_BOILER.STEAM_DRUM.WATER_LEVEL:«  HIGH; 
delay  0.S; 

if  ALPHA_BOILERJSTEAM_DRUMELOW_OUT  «=  NONE  then 
ALPHA.B01LER.STEAM_DRUM.WATER_LEVEL:-  HIGH.ALARM; 
end  if; 

eUf  ALraA_BOILER.STEAM_DRUMJ^W  1N< 

ALPHA_B0ILER.S1EAM  DRUMJLOW  OUT 
or(ALPHA_BOILER.SlE^  DRUMJIjOW  IN  >:  NONE  and 
ALPHA_BOILER.STEAM_DRUM.WATER  LEVEL  >  LOW)  then 
ALPHA_BOILER.STEAM_DRUM.WATER_LEVEL:*  LOW; 
delay  0.S; 

if  ALPHA_BOILER.STEAM_DRUM  JLOW.IN  »  NONE  then 
ALPHA_BOILER.STEAM_DRUM,WATER_LEVEL:*  LOW.ALARM; 
end  if; 
end  if; 
delay  2.0; 

if  VIRTUAL_SH_OUTLET.INPUT  PRESSURE  =  HIGH  then 
ALPHA_BOILER,STEAM_DRUM  J>RESSURE;»  LIFT_SAFE_HI; 
delay  0.0; 

SAFETY_VALVES.STATUS:*  OPEN; 
end  if; 
delay  2.0; 
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SAFETY  VALVES.INPUr_PRESSURE:=  ALPHA  BOD-ER.STEAM_DRUM.PRESSURE; 
VIRTUAL  SH  OUTLET.INPUT  PRESSURE:* 

aLpha_boiler.steam_drumpressure: 

delay  2.0; 

if  SAFETY  VALVES.STATUS*  OPEN  then 
SAFETY  VALVES.INPUT  FLOW;*  NORM; 
INCREhffiNTAL_DECREASE(ALPHA_BOILER); 
end  if; 
delay  2.0; 
end  loop; 

end  STEAM_DRUM_MANAGER; 


-  Task  FIRES_MANAGER  contnds  firing  rate  by  controlling  the  output 
~  of  the  fuel  oU  control  valve  based  on  steam  drum  pressure 


task  body  FIRES.MANAGER  is 

begin 
delay  1.0; 
loop 

if  ALPHA  BOILERJURNACE.FIRING_RATE  h  NONE  then 
ALPHA  BOILERJFURNACEilRING  RATE:* 

FUEL_MANIFOLD.OUTPUT_raESSURE; 

end  if; 

if  ALPHA  BOILERiaJRNACE.FIRING_RATE  *  NONE  then 
ALPHA  BOBLEREURNACEJTRES  LIT:*  FALSE; 

ALPHA  BOILERJOJRNACEJTRE  APPEARANCE:*  NONE; 
ALPHA_BOILER.STEAM  DRUM.TEMP:*  LOW; 
ALPHA_BOILER.GENERATION.  JBES.TEMP:*  LOW; 
ALPHA_BOILER.SUPERHEATER.  rEMP:*  LOW; 
ALPHA_BOILERi)ESUPERHEATER.TEMP:*  LOW; 
end  if; 

ifALPHA.BOILERJ’URNACEJlRING  RATE  -  NONE  then 
ALPHA_BOILER.STEAM_DRUM  J>RESSURE;*  LOW; 
elsif  ALPHA_BOILER.GENERATION_TUBES  JIUPTURE  or 
ALPHA_BOILER.SUPERHEATER  JIUPTURE  or 
VIRTUAL  SH  OUTLET.INPUT  FLOW  *  NONE  then 
if  ALPHA_BOILER.STEAM  DRUM  J^IESSURE  >  LOW  then 
ALPHA_B01LER.STEAM  DRUMJRESSURE:*  LOW; 
deUy20.0; 
end  if; 

ALPHA_BOILER.STEAM_DRUM  J>RESSURE:*  NONE; 
end  if; 

if  FUEL  MANIFOLD.STATUS  «  OPEN  and 

FUEL_MANIFOLD.INPUT  PRESSURE  h  NONE  and 
ALPHA_BOILER.STEAM  DRUMJFLOW  IN  h  NONE  then 
if  ALPHA_BOILER.STEAM_DRUMJPRESSURE  >  NORM  then 
FUEL_OIL_CONTROL_VALVE.OUTPUT_raESSURE;*  LOW; 
delay  2.0; 

if  ALPHA.BOILERJURN  ACEEIRING.RATE  /*  NONE  Aen 
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if  VIRTUAL  SH.OUTLETJNPUT  PRESSURE  <  HIGH  then 
ALPHA_BOILER.STEAM_DRUM  J>RESSURE:=  NORM; 
end  if; 
else 

ALPHA  BOILERJURNACE.DECK_STATUS:*FUEL  ON  DECK; 
ALPHA_BOtt-ERJJURNACEJ»ERISCOPE:=  FOGGED; 
end  if; 

elsif  ALPHA  BOn^.STEAM_DRUMPRESSURE  <  NORM  then 
FUEL_OE,_CONTROL_VALVE.OUTPUT_PRESSURE:*  HIGH; 
delay  2.0; 

if  SAFETY  VALVES-STATUS^  OPEN  and 

ALHIA  BOILERPURNACEPIRING  RATE  h  NONE  then 
ALPHA_BOLER.STEAM_DRUMi»RESSURE:=  NORM; 
end  if; 

if  ALPHA  BOELERPURNACEEIRES  LIT  =  FALSE  then 
ALPHA_BOILERPURNACE.DECK_STATUS:=  FUEL.ON.DECK; 
end  if; 

elsif  ALPHA  BOILER.STEAM_DRUMPRESSUR£  «  NORM  and 
FUEL  MANIFOLD.OUITUT  PRESSURE  NORM  and 
FUEL  MANIFOLD.OUIPUT  PRESSURE NONE  and 
FUEL  MANIFOLD.STATUS  i:  OPEN  then 
FUEL  OIL  CCMmOL  VALVE-OUTPUT  PRESSURE:= 

LESSER_OF(IjOW.FO_SVC_PUMP_DISCH.OUTPUT_PRESSURE); 

end  if; 
end  if; 
delay  0.0; 

ifALPHA_BOILERPURNACEFIRING  RATE  NONE  and 
AIR_REGISTERS.OUTPUT^FLOW  =  NONE  then 
ALPHA  BOILERPURNACEPIRE  API^ARANCE:^  IRREGULAR; 
ALPHA.BODLERPURNACEPERISCOPE:*  BLACK; 
end  if; 
delay  OX); 

if  ALPHA.BOILERPURNACEPIRING  RATE  ^  NONE  and 
AIRJIEGISTERS.OUTPUT  FLO W /b  NONE  and 
ALPHA_BOILERPURNACEJ>ECK  STATUS  »  FUEL  ON  DECK  then 
ALPHA_BOILERPURNACE£XPLOSION:s  TRUE; 
end  if; 
delay  0.0; 

if  FUEL  MANIFOLD.OUIPUT  FLOW  <  AIR.REGISTERS.OUIPUT  FLOW  then 
ALPHA  BOILERPURNACEPERISOOPE:*  ORANGE; 
ALPHA_BOILERPURNACEPIRE  APPEARANCE;*  IRREGULAR; 
ALPHA_BOILER.SUPERHEATCR.TEMP>  LOW; 
delay  60.0; 

ALPHA_BOILERPURNACE£XPLOSION>  TRUE; 
end  if; 
delay  0.0; 

if  FUEL  MANIFOLD.OUIPUT  PRESSURE NONE  and 
FUEL_MANIPOLD.OUTPUT_PRESSURE  < 

A1R_REGISTERS.0U1PUT  PRESSURE  and 
ALPHA_BOnJERPURNACEPIRlNG  RATE  M  NONE  then 
ALPHA  BOILERPURNACEPIRE  APPEARANCE;*  IRREGULAR; 
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delay  10.0; 

ALPHA.BOILER  JURNACEJFIRING_RATE:=  NONE; 
end  if; 
delay  0.0; 
endkx^; 

cndFIRES.MANAGER; 


-  Procedure  INCREMENTAL.DECREASE  reduces  steam  drum  pressure 

-  in  the  event  of  safeties  lifting 


procedure  INCREMENT AL.DECREASE  (B1J(:  in  out  BOILER)  is 

begin 

loop 

case  BLR.STEAM_DRUMJ>RESSUR£  is 
when  LIFT_SAra_HI  *> 
delay  2.0; 

BLR.STEAM  DRUM.PRESSURE;=  HIGH; 

safety_vaLves.input_pressure:=blr.steam_drumpressure; 

delay  0.0; 
when  HIGH  «> 
delay  2.0; 

BLR.STEAM  DRUMPRESSURE:«  NORM; 

SAFETY  VALVES JNPUT  PRESSURE:=  BLR.STEAM_DRUMJ*RESSURE; 
SAFETY  VALVES.STATUS;- SHUT; 
SAFETY_VALVES.OUTPUT_FLOW;=  NONE; 
dday  0.0; 
exit; 

when  others  >s> 
null; 
end  case  ; 
end  loop; 

end  INCREMENTAL.DEOREASE; 


~  Function  GREATER.OF  compares  two  MEASUREMENT.VALUE’s* 
~  and  returns  the  one  with  the  greater  value 


function  GREATER  OF  (X,  Y:  in  MEASUREMENT.VALUE)  return 
MEASUREMENT.VALUE  is 
VALUE:  MEASUREMENT.VALUE; 

begin 

ifX>Ythen 
VALUE:*  X; 
else 

VALUE:*  Y; 
end  if; 

return  VALUE; 
end  GREATER.OF; 


~  Function  LESSER.OF  compates  two  MEASUREMENT.VALUE’s 
~  and  ittums  the  one  with  the  greater  value 


function  LESSER  OF  (X.  Y:  in  MEASUREMENT.VALUE)  return 
MEASUREMENT.VALUE  is 
VALUE;  MEASUREMENT.VALUE; 

begin 

ifX<Ythen 
VALUE;=  X; 
else 

VALUE:*  Y; 
end  if; 

return  VALUE; 
endLESSER.OF; 


*•  Procedure  RUPTURED_TUBE_CH£CK  io(dcs  for  less  input  flow 
-'to  a  tube  than  output  flow,  or  when  there  is  no  input  flow.  Since 
flow  through  a  Uibe  cools  the  inno’  surfaces  erf'  the  tube,  no  flow  or 
-  severely  restricted  flow  will  result  in  a  nq)tuied  tube 


{Rocedure  RUPTURED_TUBE_CHECK  (BLR:  in  out  BOILER;  X:  in  out  TUBE)  is 
begin 

if  BLR  JURNACEPIRES_Lrr  then 
if  XJLOW.IN  «  NONE  then 
delay  10.0; 

if  X  J5LOW_OUT  -  NONE  then 
X.TEMP;«HIGH; 

if  X  J)IRECr_HEAT_OONTACT  then 
XJIUPTURE:-TRUE; 
end  if; 
end  if; 

elsif  X  JLOW.IN  <  X  JLOW.OUT  then 
delay  20.0; 

ifXJ=LOW_IN<XJlJOW  OUT  then 
X.TEMP;«HIGH; 

ifXJ)IRECr  HEAT  CONTACT  then 
XJIUPTURE:*TRUE; 
end  if; 
end  if; 
end  if; 

ifXKUFTUREthen 

BLRfURNACEPERISCOPE:*  FOGGED; 

Old  if; 
end  if; 

end  RUPTURED_TUBE_CHECK; 
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~  Task  TUBE_MANAGER  controls  flow  out  of  the  boiler,  dq)ending 
~  on  water  input  to  tubes  and  whether  (v  not  a  tube  rupture  has  occuned 


task  body  TUBE.MANAGER  is 

begin 
delay  1.0; 
loop 

ALPHA  BOILER.STEAM  DRUM.FLOW_IN:= 

MANUAL.CHECK  VLV.OUTPUT_FLOW; 

ALPHA_BOIIJER.WATER_DRUMJ1jOW_IN:= 

ALPHA_BOILER.STEAM  DRUMJLOW.IN; 

ALPHA_BOILER.WATER_DRUMPLOW_OUr:* 

ALPHA_BOILER,WATER_DRUMJLOW_IN; 

ALPHA  BOILER.GENERATION  TUBES.FLOW_IN:= 

ALPHA_BOILER,WATER_DRUMJLOW_OUT; 

if  ALPHA_BOILERPURNACE.FIRING_RATE  =  NONE  then 
delay  lOX); 

ALPHA_B0ILER.GENERAT10N_TUBES  JLOW_OUT:=  LOW; 

else 

ALPHA  BOILER.GENERATION_TUBESJJLOW_OUT:= 

ALPHA_B0ILER.GENERAT10N_TUBESPL0W_IN; 

end  if; 

ALPHA  BOILER,STEAM  DRUM.FLOW_OUT:= 

ALPHA_B0ILER.GENERAT10N_TUBESJL0W_0UT; 

delay  1.0; 

RUPTURED  TUBE  CHECK  (ALPHA  BOEDER, 

ALPHA  BOILER.GENERATION_TUBES); 

ALPHA_BOILER.SUPERHEATERJTX)W_IN:« 

ALPHA  BOI1JER.STEAM  DRUMJLOW.OUT; 

SAFETY_VALVESJNPUT_FLOW;«ALPHA_BOILER.STEAM_DRUM.FLOW_OUT; 

ALPHA  BOlLER.SUPERHEATERPLOW_OUT:= 

ALPHA_BOILER.SUPERHEATERJLOW_IN; 

delay  IX); 

RUPTURED  TUBE  CHECK  (ALPHA  BOILER,  ALPHA_BOILER.SUPERHEATER); 

VIRTUAL.SH  OUTiJET.INPUT  FLOW:= 

ALPHA  BOILER.SUPERHEATERfLOW_OUT; 

if  VIRTUAL  SH  OUTLET.STATUS  «  OPEN  then 
VIRTUAL  SH  OUTLET.OUTPUT  FLOW:* 

VIRTUAL_SH_OUTLEfjNPUT_FLOW; 

else 

VmTUAL_SH_OUTLET.OUTPUT_FLOW:*  NONE; 

end  if; 

ALPHA  BOILERI}ESUPERHEAIERJTX)W  IN:* 

VIRTUAL  SH  OUTLET.OUTPUT  FLOW; 

MAIN  STEAM  STOP.INIW  FLOW:*  VIRTUAL  SH  OUTLET.OUTPUT.FLOW; 

ALPHA  BOILERDESUPERHEATERJFLOW_OUT:= 

ALPHA  B0IL£RJ>ESUPERHEATERJ1.0W_IN; 

AUX  STEAM_STOP.INPUT  FLOW:* 

ALPHA  BOILERDESUPERHEATER JLOW  OUT; 
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delay  1.0; 

RUPTURED  TUBE_CHECK(ALPHA_BOILER. 

ALPHA_BOILERDESUPERHEATER); 


delay  0.0; 
endk)^; 

endTUBE_MANAGER; 


"  Procedure  RESET_BOILER_PREVIOUS_VALUES  sets  the  values 
--  of  *^v_"  fields  to  the  value  of  the  ctHresponding  non-”ptev_’’  field. 
-  See  BOILER  recnd  specification  fcv  further  clarification 


procedure  RESET_BOILER_PREVIOUS_VALUES  (BLR:  in  out  BOILER)  is 
begin 

BLR.SIEAM  DRUM PREV  WATER.LEVEL  :=  BLR.STEAM_DRUM.WATER_LEVEL; 
BLR.S7EAM  I»UMJ*REV  PRESSURE  :=  BLR.STEAM_DRUMPRESSURE; 

BLR.STEAM  DRUMPREV.FLOW  IN  :=  BLR.STEAM_DRUMPLOW_IN; 

BLR.STEAM  MIUMPREV  FLOW  OUT  :=  BLR.STCAM_DRUMPLOW_OUT; 
BLR.S1EAM  DRUMJ«EV  TEMP:*  BLR.STEAM_DRUM.TEMP; 

BLR.WATER  DRUMPREV  FLOW.IN  :*  BLR.WATER_DRUMPLOW_IN; 

BLR.WATER  DRUMPREV  FLOW  OUT  :=  BLR.WATER_DRUMPLOW_OUT; 
BLR.SUPER1^TERPREV  FLOW  IN  BLR.SUPERHEATERPLOW_IN; 
BLR.SUPERHEATERJTIEV  FLOW.OUT  :=  BLR.SUPERHEATERPLOW_OUT; 
BLR.SUPERHEA1ERPREV  RUPTWIE  .*«  BLR.SUreRHEATERPUPTURE; 
BLR.SUP£RHEATER1^V  TEMP  ;*  BLR.SUPERHEATER.TEMP; 
BLR.E«SUPERHEATERJ«EV_FLOW  IN :»  BLR J)ESUPERHEATERPLOW_IN; 
BLR.DESUPERHEATERPREV  FLOW  OUT  :*  BLRDESUPERHEATCRPLOW.OUT; 
BLR.DESUPERHEATER.PREV  RUPTURE :»  BLR J>ESUPERHEATERRUFnjRE; 
BLR.DESUPERHEATERPREV_TEMP  BLRP)ESUPERHEATER.TEMP; 
BLR.GENERATION  TUBESPREV_FLOW_IN :»  BLRGENERATION_TUBES.FLOW_IN; 
BLR.GENERATION_TUBESPREV_FLOW_OUT  > 

BLR.GENERATI(m  TUBESPLOW.OUT; 

BLR.GENERATKX<I  TUBESPREV  RUPTURE :»  BLR.GENERAT10N_TUBES.RUPTURE; 
BLR.GENERATION_TUBESPREV_TEMP :«  BLR.GENERATION_TUBES.TEMP; 
BLRPURNACEJ^V  DECK  STATUS  :*  BLRPURNACEDECK.STATUS; 
BLRPURNACEPREV  FIRING.RATE :»  BLRPURNACEPIRING.RATE; 
BLRPURNACEPREV  EXPLOSION  :*  BLRPURNACE.EXPLOSION; 
BLRPURNACEPREV  reRISCOPE  :*  BLRPURNACEPERISCOPE; 
BLRPURNACEPREV  FIRES  LIT :«  BLRPURNACEPIRES_UT; 

BLRPURNACEPREV  FIRE  APPEARANCE  :*  BLR.FURNACEPIRE  AH*EARANCE; 
end  RESET  BOILER  PREVIOUS.VALUES; 


"  Procedure  INTnALXZE.BOIIPR  sets  all  bc^er  components  to  normal  steady 
"  state  steaming  values  - 


procedure  INITIALIZE.BOILER  (BLR:  in  out  BOILER)  is 
b^ 

BLR.STCAM_DRUM.WATER_LEVEL:=  NORM; 
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BLR.STEAM  DRUMi%ESSURE:s  NORM; 

BLR.STCAM  DRUM JLOW_IN:=  NORM; 

BLR.STEAM  DRUM JLOW.OUT:*  NORM; 

BUI  STEAM  EAUM.’rBMPrsNORM; 

Bi  ^.WATER_DRUMJLOW_IN:=NORM; 

BLR.WATER  DRUM JLOW.OUT:*  NORM; 
BUl.SUPERHEATERfLOW_IN:=  NORM; 
BLR,SUPERHEATERJ=LOW_OUT:»  NORM; 
BLR.SUPERHEATERJIUPTURE:=  FALSE; 
BLR.SUPERHEATER.TEMP:=  NORM; 
BLR.SUPERHEATERDIRECT_HEAT_CONTACT:=  TRUE; 
BLR.I^UPERHEA'IER.FLOW  IN:sNORM; 
BLR.DESUPERHEATCR  J=LOW_OUT;=  NORM; 
BLR.DESUPERHEATERJIUPTURE:=  FALSE; 
BLR.DESUPERHEATER.TEMP:=  NORM; 
BLR.DESUPERHEATER.DIRECT_HEAT  CONTACT:^  FALSE; 
BLR.GENERATI(»4  TUBESfLOW.IN:®  NORM; 
BLR.GENERATIC»«(  TUBESPLOW_OT -T:»  NORM; 
BLR.GENERATION_TUBES  JIUPTURE;.  FALSE; 
BLR.GENERATION  TUBES.TEMP:=  NORM; 

BLR.GENERATION  TUBESDIRECT_HEAT_CX)NTACT:=TRUE; 
“ILR  JURNACE.DEac_STATUS:»  NO_FUEL_ON_DECK; 

BLR  JURNACEJTRING.RATE:*  NORM; 

BLR  JURNACE£XPLOSION:«  FALSE; 

BLR  JURNACEJ'ERISCOPE:*  CLEAR; 
BLRJURNACE.FIRES_LIT:=  TRUE; 

BLRJURNACEJIRE  APreARANCE:=  FAN  SHAPED; 
RESET_BOILER_PREVIOUS_VALUES(BLR); 
end  INrriAUZE.BOILER; 


-  Procedufc  DISPLAY_BOILER_STATUS  shows  the  values  of  boiler  parameters. 

~  Some  may  not  be  measurable  in  real  life,  but  their  display  here  demonstrates  nKwe  fully  the 
..  causal  chain  of  events  - 


procedure  DISPLAY_BOILER_STATUS(BLR:  in  out  BOILER)  is 
begin 

if(BLR.STEAM  DRUM.WA1ER_LEVEL /- 

BLR.STEAM  DRUMJ»REV_WATER  LEVEL  or 

BLR.STE^  DRUMJ»RESSURE/=BLR.STEAM_DRUMPREV_PRESSUREor 
BLR.STEAM  DRUMJLOW  IN/^ 

BLR.STEAM  DRUM  JREV  FLOW  IN  or 
BLR.STEAM_DRUM  fLOW.OUT  ^ 

BLR.STEAM  DRUMPRE  V_FLOW_OUT  or 

BLR.STEAM  DRUM.TEMP  ^  BLR.STCAM  DRUMPREV  TEMP  or 

BLR.  WATER  DRUMPLOW  mh 

BLR.WATER  DRUMPREV.FLOW  IN  or 

BLR.  WATER_DRUMPLOW_OUT  /* 

BLR.WATER  DRUMJTtEV  FLOW  OUT  or 
BLR.SUPERHEATERPLOW_IN  h 
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BLR.SUPERHEATERPREV  FLOW  IN  or 
BLR.SUPERHEATERJLOW  OUT/« 

BLR.SUPERHEATERPREV  FLOW.OUTor 
BLR.SUPERHEATERPUPTURE  h 
BLR.SUPGRHEATERPREV  RUPTURE  or 

blr.superheater.temp/bBlr.superheaterprev  temp  or 

BLR.DESUPERHEATERPLOW  THh 
BLR.DESUPERHEATERPREV_FLOW  IN  or 
BLR,DESUPERHEATERPLOW_OUT  h 
BULDESUPERHEAIERPREV  FLOW.OUTot 
BULDESUPERHEAIERPUPTURE  h 
BLR.DESUPERHEATERPREV  RUPTURE  or 

blr.desuperheater.temp/bBlr.desuperheaterprev  temp  or 

BLR.GENERATTON_TUBESPLOW_IN  /= 
BLR.GENERATION_TUBESPREV_FLOW_IN  or 
BLR.GENERATTON  TUBESPLOW.OUT /= 

BLR.GENERATTON  TUBESPREV_FLOW_OUT  or 
BLR.GENERATTON_TUBES  PUPTURE  h 
BLR.GENERATTON  TUBESPREV.RUPTURE  w 
BLR.GENERATION_TUBES.TEMP  /* 

BULGENERATTON  TUBESPREV.TEMP  or 
BLRPURNACEDECK_STATUS  h 
BLRPURNACEPREV.DECK  STATUS  or 

BLRPURNACEpnUNG  RATE /=  BLRPURNACEPREV_FIRING_RATE  or 
BLRPURNACEEXPLOSIONMBLRPURNACEPREV  EXPLOSION  or 
BLRPURNACEPIRES  LIT BLRPURN ACEPREV  FIRES  UTor 
BLRPURNACEPERISCX)PE  />  BLRPURNACEPREV  PERISCOPE  or 
BLRPURNACEPIRE_APPEARANCE  h 
BLRPURNACE.PREV_FIRE_APPEARANCE)  then 

NEW_LINE; 

SET_COL(30); 

PUT.UNECTLANT  STATUS-BOEER"); 

NEW_LINE; 

PUTCBOILER  STEAM  DRUM  WATER  LEVEL:  y, 
PUT(BLR.STEAM_DRUM.WATER  LEVEL); 

SET_COL(45); 

PUTCBOEER  steam  DRUM  PRESSURE;  **); 
PUT(BLR.STEAM_DRUMPRESSURE); 

NEW_LINE; 

PUTCBOILER  STEAM  DRUM  FLOW  IN: 

PUT(BLR.STEAM_DRUM  PLOW  IN); 

SET_COL(45); 

PUTCBOILER  STEAM  DRUM  FLOW  OUT;  “); 

Pin'(BLR.STEAM  DRUMPLOW  OUT); 

NEWJJNE; 

PUTCBOILER  STEAM  DRUM  TEMP:  *); 

PUT(BIJLSTEAM  DRUM.TEMP); 

NEW_UNE(2); 

PUTCBOILER  WATER  DRUM  FLOW  IN:  “); 

PUT(BLR.WATER_DRUMPLOW  IN); 

SET_COL(45); 
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PUTC*BOILER  WATER  DRUM  FLOW  OUT:  “); 

PUT(BLR.WATER_DRUM.FLOW_OUD; 

NEW_LINE(2); 

PUTCSUPERHEATER  FLOW  IN:  “); 

PUT(BLR.SUPERHEATERfLOW_IN); 

SET„COL(45); 

PUTC'SUPERHE ATER  FLOW  OUT;  “); 

PUT(BLR.SUPERHEATERPLOW_OUD: 

NEW.LINE; 

PUTC'SUPERHEATER  RUPTURE:  “)*. 

PUT(BLR.SUreRHEATERJlUPTURE); 

SET_COL(45); 

PUrrSUPERHEATER  TEMP.  “); 

PUT(BLR.SUPERHEATER.TEMP); 

NEW_UNE(2); 

PUT(“DESUPERHEATER  flow  IN:  “); 

PUT(BLR.DESUPERHEATERJLOW_IN); 

SET_CX)L(45); 

PUTCDESUPERHEATER  FLOW  OUT;  1; 
PUT(BLR.DESUPERHEATERELOW_OUT); 
NEW  LINE; 

PUrrOESUPERHEATER  RUPTURE:  “); 

PUT(BLR.DESUPERHEATERJIUPTURE); 

SET_CX)L(45); 

PUTCDESUPERHEATER  TEMP: "); 

PUT(BLR.DESUPERHEATER.TEMP); 

NEW_LINE(2); 

PUTCGENERATION  tubes  flow  IN:  “): 

PUT(BLR,GENERATION_TUBESJLOW_IN); 

SETjCOL(45); 

PUTCXiENERATICW  TUBES  FLOW  OUT:  “); 

PUT(BLR.GENERATI0N_TUBESJL0W_0UT); 

NEW.UNE; 

PUTCtJENERAnON  TUBES  RUPTURE:  *0; 

PUT(BLR,GENERATIW_TUBESRUPTURE); 

SET_CX>L(45); 

putTGeneration  tubes  temp.  *0; 

PUT(BLR.GENERATI0N_TUBES.TEMP); 

NEW_UNE(2); 

PUTCTURNACE  DEC^.  STATUS:  “); 

PUT(BLRJURNACEJ>ECK_STATUS): 

SET_C0L(45); 

PUTCTIRING  RATE:  “); 

PUT(BLRJURNACEJ1RING_RATE); 

NEW_LINE; 

PUTTBOILER  EXPLOSION:  “); 

PUT(BLRJURNACE£XPL0SI0N); 

SET_C0L(45); 

PUTC*PERISCOPE:‘0; 

PUT(BLRJURNACEJ»ERISC0PE); 

NEW  LINE; 

PUTCTIRESUT:“); 
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PlJT(BULFURNACEFIRES_Lrr); 

SET  COL(45); 

PUTCTIRE  APreARANCE:  “); 
PUTCBLRJURNACEJTRE.APPEARANCE); 
NEW.LINE; 
fori  in  1..801o(q) 

pure-*); 

endkx^; 

NEW_LINE; 
fori  in  1..801oop 
PUT(T): 
endkx)p; 

NEW_LINE; 
for  i  in  1.^  10(9 

pure-’): 

end  loop; 

NEW  LINE(2): 

RESET_BOILER_PREVIOUS_VALUES(BLR); 
end  if; 

end  DISHAY.BOILER.STATUS; 
end  BOILER.MODEL; 
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with  TEXT  10.  VALVES  AND_PIPING,  BOILER  MODEL,  SYSTEM; 
use  TCXTJO.  VALVES_AND_PIPING.  BOILER.MODEL,  SYSTEM; 

[Mtxedure  MAIN  is 
VALVE  OF  INTEREST:  INDEX; 

CURRENT:  VALVE  PTR:=  VIRTUAL_SH_OUTLET: 

CHOICE.  NEXT_CHOICE,  LAST_CHOICE:  CHARACTER; 
pragma  FRI0RITY(2); 

package  INDEX  lO  is  new  ENUMERATION_IO(INDEX); 
useINDEXJO; 

begin 

FILL  SYSTEM  ARRAYS; 

ASSIGN  VALVE  ORDER; 

INrnALIZE_BOILER(ALPHA  BOILER); 

INTTIALIZE.PLANT; 

TRACE:*  TRUE; 

PUTC'CHANGE  VALVE  (QHARACTERISTIC  OR  (V)ALVE  STATUS?”); 
GET(CHOICE); 

NEW_LINE; 

PUTCENTER  VALVE  TO  CHANGE:  “); 

GET(VALVE  OF_INTEREST); 

while  CURRENT.  VALVE.ID  /*  VALVE_OF_INTEREST  loop 
CURRENT:*  CURRENT24EXT; 
end  loop; 

if  CHOICE  -  ‘C’  or  CHOICE  *  ‘c’  then 
PUTCCHANGE  INPUT  (F)LOW  OR  INPUT  (P)RESSURE?”); 
GET(NEXT_CHOICE); 

NEW.LINE; 

PUTC'CHANGE  TO  (N)ONE.  (L)OW.  N(0)RM.  (H)IGH?”); 
GET<LAST_CHOICE); 

NEW.LINE; 

if  NEXT.CHOICE  =  ‘F  or  NEXT.CHOICE  =  T  then 
caaeLAST.CHOICEis 

when  ‘N’  I  ‘n’  «o  CURRENT JNPUT  FLOW:*  NONE; 
when  ‘L’  I  ‘1’  *>  CURRENTJNPUT  FLOW:*  LOW; 
when  ‘O’  I  'o’  *>  CURRENTJNPUT  FLOW:*  NORM; 
when  ‘H’  I  'h*  «>  CURRENT.INPUT_FLOW:=  HIGH; 
when  others  *>  null; 
end  case; 

elsif  NEXT.CHOICE  *  ‘F  or  NEXT  CHOICE  *  ‘p’  then 
caaeLAST.CHOICEis 

when  ‘N’  I  ‘n’  *>  CURRENTJNPUT  PRESSURE^*  NONE; 
when  ‘L’  I  T  *>  CURRENTJNPUT  HIESSURE:*  LOW; 
when  ‘O’  I  ‘o*  *>  CURRENTJNPUT  PRESSURE:*  NORM; 
when  ‘H’  I  ‘h’  «>  CURRENT  JNPUT J»RESSURE:*  HIGH; 
when  others  *>  null; 
end  case; 
end  if; 

elsif  CHOICE  *  *V’  or  CHOICE  *  V  then 
if  CURRENT.STATUS  *  OPEN  then 
CURRENT.STATUS:*  SHUT; 
dae 

CURRENT.STATUS:*  OPEN; 
end  if; 
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end  if; 
loop 

DISPLAY_BOILER_STATUS(ALPHA_BOILER); 
delay  03; 
end  loop; 
end  MAIN; 
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APPENDIX  B  (BoUerModel  TEST  RESULTS) 


CHANGE  VALVE  (QHARACTERISTIC  OR  (V)ALVE  STATUSTv 
ENTER  VALVE  TO  CHANGE:  fwcv 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

FWCV  SHUT  NORM  N(»M  NONE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

FEED.STOP  OPEN  HIGH  NORM  HIGH  NORM 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

FWCV  SHUT  HIGH  NORM  NONE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

MAN.CHK  OPEN  NONE  NONE  NONE  NONE 

PLANT  STATUS-BOILER 

BOILER  STEAM  DRUM  WATER  LEVEL:  NORM  BOILER  STEAM  DRUM  PRESSURE:  NORM 

BOILER  STEAM  DRUM  FLOW  IN:  NONE  BOILER  STEAM  DRUM  FLOW  OUT:  NONE 

BOILER  STEAM  DRUM  TEMP:  N(»M 

BOILER  WATER  mUM  FLOW  IN:  NONE  BOILER  WATER  I»UM  FLOW  OUT:  NONE 

superheater  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT:  NORM 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  N(»IM 

DESUPERHEATER  FLOW  IN:  NORM  DESUPERHEATER  FLOW  OUT:  NWM 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  NORM 

GENERATKWrUBES  FLOW  IN:  NONE  GENERATION  TUBES  FLOW  OUT:  NONE 

GENERATKWTUBES  RUPTURE:  FALSE  GENERATION  TUBES  TEMP:  NORM 

FURNACE  DECK  STATUS:  NO_FUELj(W  DECK  FIRING  RATE:  N(«M 

B(»LER  EXPLOSION:  FALSE  PERISCOPE:  CLEAR 

FIRES  LIT:  TRUE  FIRE  APPEARANCE:  FAN.SHAPED 

nnimimmiiinnimulwiwmimniuiiimiiiliHunmwiimmmnmilinHHnimHiluwiHiiiinimiiiiiiiiiiiiiiiiii 
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PLANT  STATUS-BOILER 

BOILER  STEAM  DRUM  WATER  LEVEL:  LOW  BOILER  STEAM  I»UM  PRESSURE:  NCMM 

BOILER  STEAM  I»UM  FLOW  IN:  NONE  BOILER  STEAM  I»UM  FLOW  OUT:  NONE 

BOILER  STEAM  DRUM  TEMP:  NORM 

BOILER  WATER  DRUM  FLOW  IN:  NONE  BOILER  WATER  I»UM  FLOW  OUT:  NONE 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT:  NORM 

SUraRHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  NCttM 

DESUPERHEATER  FLOW  IN:  NORM  DESUPERHEATER  FLOW  OUT;  NORM 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  NC»M 

GENERATION  TUBBS  FLOW  IN:  NONE  GENERATION  TUBES  FLOW  OUT:  NONE 

GENERATION  TUBBS  RUPTURE:  FALSE  GENERATION  TUBES  TEMP:  NCMM 

FURNACE  DECK  STATUS:  NO  JTIEL_ON_DECX  FIRING  RATE:  NORM 
BOILER  EXPLOSION:  FALSE  PERISaE>E:  CLEAR 

FIRES  UT:  TRUE  FIRE  APPEARANCE:  FAN_SHAm> 

HninnnnwiwiwmmnmwiimmmwmmmiiiiimmmwinnniinmilWHmilittiiiiiiiiiiiiiiiiwiiiiiiiiiiiiii 


PLANT  STATUS-BOILER 

BOILER  STEAM  I»UM  WATER  LEVEL:  LOW_ALARM  BOILER  STEAM  DRUM  PRESSURE:  NORM 
BOILER  STEAM  DRUM  FLOW  IN:  NONE  BOILER  STEAM  DRUM  FLOW  OUT:  NONE 
BtHLBR  STEAM  DRUM  TEMP:  N(»M 

B<HLER  water  DRUM  FLOW  IN:  NONE  BOILER  WATER  MUM  FLOW  OUT:  NONE 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT:  NORM 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  NORM 

DESUPERHEATER  FLOW  IN:  NORM  DESUPERHEATER  FLOW  OUT:  N(«M 

DESUPERHEATER  RUPTURE;  FALSE  DESUPERHEATER  TEMP:  NORM 

GENBRATKN4  TUBES  FLOW  IN:  NONE  GENERATION  TUBES  FLOW  OUT:  NONE 

GENBRATTCWr  TUBES  RUPTURE;  FALSE  GENERATION  TUBES  TEMP:  NCXtM 

FURNACE  DECK  STATUS;  NO_FUELj(»«.DECK  FIRING  RATE- N(»M 

BCMLER  EXPLOSION:  FALSE  PERISCOPE:  CLEAR 

FIRES  UT;  TRUE  FIRE  APPEARANCE:  FANJSHAPED 

HiiHmHUimiiiHiiHHmnmminwnHmHimiiHmmimninmiimmimmiimfimmmmHmimiiHiim 


VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
SAFETIES  SHUT  LOW  NONE  NONE  NONE 
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PLANT  STATUS-BOILER 


BOILER  STEAM  mUM  WATER  LEVEL:  LOW.ALARM  BOILER  STEAM  r«UM  PRESSURE:  LOW 
BOILER  STEAM  DRUM  FLOW  IN:  NONE  BOILER  STEAM  EAUM  FLOW  OUT:  NONE 

BOILER  STEAM  I»UM  TEMP:  N(»M 


BOILER  WATER  DRUM  FLOW  IN:  NONE 

SUPERHEATER  FLOW  IN:  NONE 
SUPERHEATER  RUPTURE:  FALSE 

DESUPERHEATER  FLOW  IN:  NORM 
DESUPERHEATER  RUPTURE:  FALSE 

GENERATION  TUBES  FLOW  IN:  NONE 
GENERATION  TUBES  RUPTURE:  TRUE 


BOILER  WATER  DRUM  FLOW  OUT:  NONE 


DESUPERHEATER  FLOW  OUT:  NC«M 
DESUPERHEATER  TEMP:  N(«M 

GENERATION  TUBES  FLOW  OUT:  NONE 
GENERATION  TUBES  TEMP:  HIGH 


SUPERHEATER  FLOW  OUT:  NONE 
SUPERHEATER  TEMP:  N(»M 


FURNACE  DECK  STATUS:  NO  FUEL  ON.DECK  FIRING  RATE:  N(»M 

BOILER  EXPLOSION:  FALSE  PERISCOPE:  FOGGED 

FIRES  LIT:  TRUE  FIRE  APPEARANCE:  FAN.SHAPED 


VALVE 

STATUS  INPUT  PRESS 

INPUT  FLOW  OUTPUT  PRESS 

OUTPUT  FLOW 

VSH 

OPEN  LOW 

N(«M  LOW 

N(»M 

VALVE 

STATUS  INPUT  PRESS 

INPUT  FLOW  OUTPUT  PRESS 

OUTPUT  FLOW 

MSS 

(E>EN  LOW 

N(»M  LOW 

N(»M 

VALVE 

STATUS  INPUT  PRESS 

INPUT  FLOW  OUTPUT  PRESS 

OUTPUT  FLOW 

DESUP  JN 

OPEN  LOW 

NORM  LOW 

Nom 

VALVE 

STATUS  INPUT  PRESS 

INPUT  FLOW  OUTPUT  PRESS 

OUTPUT  FLOW 

BLEED 

SHUT  LOW 

NC»M  NONE 

NONE 

VALVE 

STATUS  INPUT  PRESS 

BSPUTFLOW  OUTPUTPRESS 

OUTPUT FLOW 

ER_BLKHD 

_STOP 

OPEN  LOW 

NORM  LOW 

N(«M 

VALVE 

STATUS  INPUT  PRESS 

INPUT  FLOW  OUTPUTPRESS 

OUTPUT  FLOW 

AMR.BLKHD 

JSJOP  OPEN  LCV 

NCmM  LOW 

NOIM 

VALVE 

STATUS  INPUT  PRESS 

INPUTPLOW  OUTPUTPRESS 

OUTPUT FLOW 

MFP_STM 

_SUP 

OPEN  LOW 

NORM  LOW 

NORM 

VALVE 

STATUS  INPUT  PRESS 

INPUT  FLOW  OUTPUTPRESS 

OUTPUT  FLOW 

ASS 

OPEN  LOW 

NWM  LOW 

NOIM 

VALVE 

STATUS  INPUT  PRESS 

INPUTFLOW  IHITPUTPRESS 

OUTPUT  FLOW 

AUG 

(X>EN  LOW 

NORM  LOW 

NORM 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

FDBJN  OPEN  LOW  NORM  LOW  NORM 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

ONE_FIFrY 

JN  (E>EN  LOW  NORM  LOW  NORM 

H-ANT  STATUS-BOILER 

B(»LER  STEAM  DRUM  WATER  LEVEL:  LOW  ALARM  BOILER  STEAM  lUlUM  PRESSURE:  LOW 
BOILER  STEAM  mUM  FLOW  IN:  NONE  BOILER  STEAM  DRUM  FLOW  OUT:  NONE 

BOILER  STEAM  DRUM  TEMP:  NORM 

BOILER  WATER  DRUM  FLOW  IN:  NONE  BOILER  WATER  DRUM  FLOW  OUT:  NONE 

SUPERHEATER  FLOW  IN:  NONE  SUPERHEATER  FLOW  OUT:  NONE 

SUPERHEATER  RUPTURE:  TRUE  SUPERHEATER  TEMP:  HIGH 

DESUPERHEATER  FLOW  IN:  NONE  DESUPERHEATER  FLOW  OUT:  NONE 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  NORM 

GENERATION  TUBES  FLOW  IN:  NONE  GENERATION  TUBES  FLOW  OUT;  NONE 

GENERATION  TUBES  RUPTURE:  TRUE  GENERATION  TUBES  TEMP:  HIGH 

FURNACE  DECK  STATUS:  NO  JTJEL  ON.DECK  FIRING  RATE:  NC«M 

BOILER  EXPLOSION:  FALSE  PERISCOPE:  FOGGED 

FIRES  UT;  TRUE  FIRE  APPEARANCE:  FAN  SHAPED 


DESUP  JN  OPEN  LOW  NONE  LOW  NONE 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 


FOTJN  OPEN  LOW  NONE  LOW  NONE 
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VALVE 

STATUS  INPUT  PRESS 

INPUTFLOW  OUTPUTPRESS 

OUTPUTFLOW 

(MIE.FIFTY 

JN 

OPEN  LOW 

NONE  LOW 

NONE 

VALVE 

STATUS  INPUT  PRESS 

INPUTFLOW  OUTPUTPRESS 

OUTPUTFLOW 

ERJBLKHD 

.STOP  OPEN  LOW  NONE  LOW  NONE 


VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
AMR_BLXHD 

.STOP  OPEN  LOW  NONE  LOW  NONE 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

MFP.STM. 

SUP  OPEN  LOW  N<mE  LOW  NONE 

PLANT  STATUS-BOILER 

B(»LER  STEAM  DRUM  WATER  LEVEL:  LOW.ALARM  BOILER  STEAM  DRUM  PRESSURE:  NONE 
BOILER  STEAM  mUM  FLOW  IN:  NONE  BOILER  STEAM  DRUM  FLOW  OUT:  NCME 
BOILER  STEAM  DRUM  TEMP;  NORM 

BOILER  WATER  DRUM  FLOW  IN:  NONE  BOILER  WATER  DRUM  FLOW  OUT:  NONE 

SUPERHEATER  FLOW  IN:  NONE  SUPERHEATER  FLOW  OUT:  NONE 

SUPERHEATER  RUPTURE  TRUE  SUPERHEATER  TEMP:  HIGH 

DESUPERHEATER  FLOW  IN:  NONE  DESUPERHEATER  FLOW  OUT:  NONE 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  NOtM 

GENERATION  TUBES  FLOW  IN:  NONE  GENERATTON  TUBES  FLOW  OUT:  NONE 

GENERATfm  TUBES  RUPTURE:  TRUE  GENERATTON  TUBES  TEMP.  HIGH 


FURNACE  DECK  STATUS:  NO  J»UEL.ON_I®aC  FIRINO  RATE:  NORM 
BCHLER  EXPLOSION:  FALSE  PERISCOPE'  FOGGED 

FIRES  UT:  TRUE  FIRE  APPEARANCE  FAN.SHAPED 


PLANT  STATUS-BOILER 

BIHLER  STEAM  DRUM  WATER  LEVEL:  LOW JUARM  BIHLER  STEAM  DRUM  PRESSURE:  NONE 
BIELER  STEAM  DRUM  FLOW  IN:  N<mE  BOILER  STEAM  DRUM  FLOW  OUT:  NONE 

BOILER  STEAM  DRUM  TEMP  NORM 

BCHLER  WATER  DRUM  FLOW  IN:  NONE  BOILER  WATER  DRUM  FLOW  OUT;  NONE 

SUPERHEATER  FLOW  IN:  NONE  SUPERHEATER  FLOW  OUT:  NONE 

SUPERHEATER  RUPTURE:  TRUE  SUPERHEATER  TEMP:  HIGH 

DESUPERHEATER  FLOW  IN:  NCmE  DESUPERHEATER  FLOW  OUT:  NONE 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP  HIGH 

GENERATIW  TUBES  FLOW  IN:  NCmE  GENERATTON  TUBES  FLOW  OUT:  NONE 

GENERATION  TUBES  RUPTURE:  TRUE  GENERATTON  TUBES  TEMP  HIGH 
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FI'’  uVACB  DECK  STATUS:  NO_FUEL_ON_DECK  FIRING  RATE.  NORM 

BOILER  EXPLOSION:  FALSE  PERISCXX>E:  FOGGED 

FIRES  LIT:  IRUE  FIRE  APPEARANCE;  FAN.SHAPED 

////////////////////////////////////////////////^^^^^^^ 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

VSH  OPEN  NONE  NONE  NONE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

MSS  OPEN  NONE  NONE  NONE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

DESUPJN  a>EN  NONE  NONE  NONE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

SAFETIES  SHUT  NONE  NONE  SC»iE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

BLEED  SHUT  NONE  NONE  N(»IE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

ER.BLKHD 

.STOP  OPEN  N<M4E  NONE  NONE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

AMR_BLKHD 

.STOP  OPEN  NONE  NONE  NONE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

MFP.STM 

.SUP  OPEN  NONE  N<mE  N(»iE  MME 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

ASS  OPEN  NCmE  NONE  NWIE  N(WE 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

AUG  OPEN  NONE  NONE  NCWE  NWIE 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  (XnPUTPRESS  OUTPUTFLOW 

FCAJN  OPEN  NWS  N(mE  NCWE  NIME 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

(»IE_FIFTY 

JN  OPEN  NONE  NONE  NONE  NIME 
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Oh.  Jin.  bow  nsv  I  Kfve  vou7  min 

CHANGE  VALVE  (QHARACTERISTIC  OR  (V)ALVE  STATUS7c 

ENTER  VALVE  TO  CHANGE:  fotp  discfa 
CHANGE  INPUT  (F)LOW  OR  INPUT  (P)RESSURE7p 

CHANGE  TO  (NyJNE.  (L)OW.  N(0)RM.  (H)IGH71 


VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
FOSP  JHSCH  OPEN  LOW  NORM  LOW  NC«M 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
FOCV  OPEN  LOW  NORM  LOW  NORM 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 
PO_RECIRC  SHUT  LOW  NORM  NONE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUn»OT  PRESS  OUTPUTFLOW 
FUEL_MAN  OPEN  LOW  NORM  LOW  NORM 

PLANT  STATUS-BOILER 

B(MLBR  STEAM  DRUM  WATER  LEVEL:  NORM  BOILER  STEAM  DRUM  PRESSURE:  NORM 

B(HLER  STEAM  DRUM  FLOW  IN:  N<»M  BOILER  STEAM  I»UM  FLOW  OUT:  NORM 

B(HLER  STEAM  DRUM  TEMP:  NORM 

BOILER  WATER  DRUM  FLOW  IN:  NORM  BOILER  WATER  DRUM  FLOW  OUT:  N(»M 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT:  NORM 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  NORM 

DESUPERHEATER  FLOW  IN:  NC«M  DESUPERHEATER  FLOW  OUT:  NORM 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  NORM 

GENERATION  TUBES  FLOW  IN:  NORM  GENERATION  TUBES  FLOW  OUT:  NORM 

GENERATKm  TUBES  RUPTURE:  FALSE  GENERATION  TUBES  TEMP;  NORM 

FURNACE  raCK  STATUS;  NO_FUELjC»(_DECK  FIRING  RATE:  NORM 
BOILER  EXPLOSKW;  FALSE  PERISOCVE-  CLEAR 

FIRES  UT:  TRUE  FIRE  APPEARANCE:  IRREGULAR 

////////////////////////////////////^^^^^^^ 


PLANT  STATUS-BOILER 

BCMLER  STEAM  DRUM  WATER  LEVEL:  N<»M  BOILER  STEAM  DRUM  PRESSURE:  LOW 

B(ELER  STEAM  DRUM  FLOW  IN:  NORM  BOILER  STEAM  I»UM  FLOW  OUT:  NORM 
B(HLER  STEAM  DRUM  TEMP:  LOW 

B(HLER  WATER  nWM  FLOW  IN:  N(»M  BOILER  WATER  DRUM  FLOW  OUT:  NORM 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT:  N(»M 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP;  LOW 

DESUPERHEATER  FLOW  IN;  NORM  DESUPERHEATER  FLOW  OUT;  NORM 

raSUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP;  LOW 
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GENERATION  TUBES  FLOW  IN:  N(m<  GENERATION  TUBES  FLOW  OUT:  N(MIM 

GENERATION  TUBES  RUPTURE:  FALSE  GENERAHON  TUBES  IBMP;  LOW 

FURNACE  DECK  STATUS:  NO_FUEL_ON  DECK  FIRING  RATE:  NONE 

BOILER  EXPLOSION:  FALSE  PERISCC^E:  CLEAR 

FIRES  LIT:  FALSE  FIRE  APPEARANCE:  NONE 

iiinimiiiwnnimmHmmiwiimiwmumimmwnnuiiimiwiimiiiiiiimmmiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiii 


VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
VSH  OPEN  LOW  N(»M  LOW  NCXtM 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

MSS  (X>EN  LOW  NORM  LOW  N(»M 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

DESUP JN  (B>EN  LOW  N(»M  LOW  N(»M 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
SAFETIES  SHUT  LOW  NORM  NONE  NONE 

VALVE  STATUS  INPUT  HIESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

bleed  shut  low  n(»m  none  none 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
ER  BLKHD. 

STOP  OPEN  LOW  NORM  LOW  NORM 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

AMR  BLKHD 

.STOP  OPEN  LOW  NORM  LOW  NORM 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

MFP.STM 

_SUP  OPEN  LOW  NORM  LOW  NORM 

VALVE  STATUS  INPUT  PRESS  INPUT  PLOW  OUTPUT  PRESS  OUTPUT  PLOW 
ASS  OPEN  LOW  NORM  LOW  NORM 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

AUG  OPEN  LOW  NORM  LOW  NORM 

PLANT  STATUS-BOILER 

B(HLER  STEAM  DRUM  WATER  LEVEL:  NC»M  BOILER  STEAM  IXUM  PRESSURE:  LOW 

B(MLER  STEAM  DRUM  FLOW  IN:  NORM  BOILER  STEAM  DRUM  FLOW  OUT:  NORM 

B(HLER  STEAM  mUM  TEMP:  LOW 

BOILER  WATER  mUM  FLOW  IN:  NORM  BOILER  WATER  DRUM  FLOW  OUT:  NC«M 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT:  NORM 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  LOW 


100 


DESUPERHEATER  FLOW  IN:  N(»M 
DESUPERHEATER  RUPTURE:  FALSE 

GENERATION  TUBES  FLOW  IN:  NORM 
GENERATION  TUBES  RUPTURE:  FALSE 


DESUPERHEATER  FLOW  OUT:  NORM 
DESUPERHEATER  TEMP:  LOW 

GENERATION  TUBES  FLOW  OUT:  NORM 
GENERATION  TUBES  TEMP:  LOW 


FURNACE  DECK  STATUS:  FUEL  ON  DECK  FIRING  RATE:  NONE 

BOILER  EXPLOSION:  FALSE  PERISCOPE:  CLEAR 

FIRES  UT:  FALSE  FIRE  APPEARANCE:  NONE 


miiiimmimmimiwiiimiimiwHimiiiiiimmmnmimiimiiiiiiiiiiiiiiiiiiiiiiiiiiiimwmHiiiwiiiiiiiiiiii 


VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
FDBJN  (E’EN  LOW  NORM  LOW  N(HtM 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
ONE  FIFTY 

_IN  OPEN  LOW  NORM  LOW  NORM 

PLANT  STATUS-BOILER 


BOILER  STEAM  DRUM  WATER  LEVEL:  NORM  BOILER  STEAM  DRUM  PRESSURE:  LOW 

BOILER  STEAM  DRUM  FLOW  IN:  NORM  BOILER  STEAM  DRUM  FLOW  OUT:  LOW 

BOILER  STEAM  DRUM  TEMP:  LOW 


BOILER  WATER  DRUM  FLOW  IN:  NORM 

SUPERHEATER  FLOW  IN:  NORM 
SUPERHEATER  RUPTURE:  FALSE 

DESUPERHEATER  FLOW  IN:  NORM 
DESUPERHEATER  RUPTURE:  FALSE 

GENERATION  TUBES  FLOW  IN:  NORM 
GENERATION  TUBES  RUPTURE:  FALSE 


BOILER  WATER  MUM  FLOW  OUT:  N(»tM 


DESUPERHEATER  FLOW  OUT:  N(»M 
DESUmHEATER  TEMP:  LOW 

GENERATION  TUBES  FLOW  OUT:  LOW 
GENERATION  TUBES  TEMP:  LOW 


SUPERHEATER  FLOW  OUT:  NORM 
SUPERHEATER  TEMP:  LOW 


FURNACE  DECK  STATUS:  FUELjON  DECK  FIRING  RATE:  NONE 

BOILER  EXPLOSION:  FALSE  PERISCCX’E:  CLEAR 

FIRES  UT:  FALSE  FIRE  APPEARANCE:  NONE 


PLANT  STATUS-BOILER 


BOILER  STEAM  DRUM  WATER  LEVEL:  NORM  BOILER  STEAM  DRUM  PRESSURE;  LOW 

BOILER  STEAM  DRUM  FLOW  IN;  NORM  BOILER  STEAM  MUM  FLOW  OUT:  LOW 

BOILER  STEAM  DRUM  TEMP:  LOW 

BOILER  WATER  DRUM  FLOW  IN:  NORM  BOILER  WATER  DRUM  FLOW  OUT;  N(»M 


SUPERHEATER  FLOW  IN;  LOW 
SUPERHEATER  RUPTURE:  FALSE 

DESUPERHEATER  FLOW  IN:  NORM 
DESUPERHEATER  RUPTURE;  FALSE 

GENERATKW  TUBES  FLOW  IN:  NORM 
GENERATKW  TUBES  RUPTURE:  FALSE 


SUPERHEATER  FLOW  OUT;  LOW 
SUPERHEATER  TEMP:  LOW 

DESUPERHEATER  FLOW  OUT;  NORM 
DESinERHEATER  TEMP:  LOW 

GENERATION  TUBES  FLOW  OUT:  LOW 
GENERATION  TUBES  TEMP:  LOW 
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FURNACE  DECK  STATUS;  FUEL_ONJ}ECK  FIRING  RATE:  NONE 


BOILER  EXPLOSION:  FALSE 
FIRES  LIT:  FALSE 


PER1SCC»>E;  CLEAR 
FIRE  APreARANCE:  NONE 


SAFETIES  SHUT  LOW  LOW  NONE  NONE 

PLANT  STATUS-BOILER 

BOILER  STEAM  raiUMWAlBR  LEVEL:  NC»M  BOILER  STEAM  DRUM  PRESSURE:  LOW 

BOILER  STEAM  mUM  FLOW  IN:  NORM  BOILER  STEAM  DRUM  FLOW  OUT:  LOW 
BOILER  STEAM  I»UM  TEMP:  LOW 

BOILER  WATER  mUM  FLOW  IN:  NORM  BOILER  WATER  DRUM  FLOW  OUT:  NC«M 

SUPERHEATER  FLOW  IN:  LOW  SUPERHEATER  FLOW  OUT:  LOW 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  LOW 

DESUPERHEATER  FLOW  IN:  LOW  DESUPERHEATER  FLOW  OUT:  LOW 

DESUPERHEATER  RUPTURE;  FALSE  DESUPERHEATER  TEMP:  LOW 

GENERATION  TUBES  FLOW  IN:  NORM  GENERATION  TUBES  FLOW  OUT:  LOW 

GENERATION  TUBES  RUPTURE:  FALSE  GENERATION  TUBES  TEMP:  LOW 

FURNACE  DECK  STATUS:  FUEL  ON_DECK  FIRING  RATE;  NONE 

BOILER  EXPLOSION:  FALSE  PERISCOPE:  CLEAR 

FIRES  LIT:  FALSE  FIRE  APPEARANCE;  NONE 

nniiiniiiiiimimmiiiiiiimiiiiimiiiiiiiiiuiiiiiinwmiliiimiiimiiiiiiiiniiiiiiwiminnim 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

VSH  OPEN  LOW  LOW  LOW  LOW 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

MSS  OPEN  LOW  LOW  LOW  LOW 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

ASS  OPEN  LOW  LOW  LOW  LOW 

VALVE  STATVS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

DESUP JN  OPEN  LOW  LOW  LOW  LOW 

VALVE  STATUS INPUTPRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

BLEED  SHUT  LOW  LOW  NONE  NONE 

VALVE  STATUS  INPUTPRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

AUG  OPEN  LOW  LOW  LOW  LOW 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTPRESS  OUTPUTFLOW 

FI»JN  OPEN  LOW  LOW  LOW  LOW 
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VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  PLOW 

ONE  FIFTY 

_1N  OPEN  LOW  LOW  LOW  LOW 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

ER_BLKHD_ 

STOP  OPEN  LOW  LOW  LOW  LOW 

VALVE  STATUS  INPUT  HIESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

▲MB  mjTun 

.STOP  OPEN  LOW  LOW  LOW  LOW 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

ADP  STM 

.SUP  OPEN  LOW  LOW  LOW  LOW 

PLANT  STATUS-BOILER 

BOILER  STEAM  DRUM  WATER  LEVEL:  HIGH  BOILER  STEAM  DRUM  PRESSURE:  LOW 

BOILER  STEAM  DRUM  FLOW  IN:  NORM  BOILER  STEAM  I»UM  FLOW  OUT:  LOW 

BOILER  STEAM  DRUM  TEMP:  LOW 

BOILER  WATER  mUM  FLOW  IN:  NORM  BOILER  WATER  I»UM  FLOW  OUT:  N(«M 

SUPERHEATER  FLOW  IN:  LOW  SUPERHEATER  FLOW  OUT:  LOW 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  LOW 

DESUPERHEATER  FLOW  IN:  LOW  DESUPERHEATER  FLOW  OUT:  LOW 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  LOW 

GENERATION  TUBES  FLOW  IN:  N(»M  GENERATION  TUBES  FLOW  OUT:  LOW 

GENERATION  TUBES  RUPTURE:  FALSE  GENERATION  TUBES  TEMP:  LOW 

FURNACE  raCK  STATUS:  FUEL.ONJ>EaC  FIRING  RATE:  NONE 

BOILER  EXPLOSION:  FALSE  PERISCOPE:  CLEAR 

FIRES  LIT:  FALSE  FIRE  APPEARANCE:  NONE 

///////////////////////////////////////////^^^^^^ 

Ob«  nsfiBr  finif  bow  I  ibivc  yooTfluin 

CHANGE  VALVE  (QHARACIERISTIC  OR.  (V)ALVE  STATUSTv 

ENTER  VALVE  TO  CHANGE:  vrii 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

VSH  SHUT  NORM  NORM  NONE  N(»4E 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

VSH  SHUT  HIGH  NORM  NONE  NCWE 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  OUTPUTFRESS  OUTPUTFLOW 

MSS  OTON  NONE  NONE  N(»4E  NC»4E 

VALVE  STATUS  INPUT  PRESS  INPUTFLOW  CRITPUTFRESS  OUTPUTFLOW 

DESUPJN  OPEN  NCmE  NCME  MME  N(M4E 
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VALVE 


STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 


BLEED  SHUT  NONE  NONE  NONE  NONE 

VALVE  STATUS  INPUT  HIESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 


(»JE_FIFTY 

JN  OPEN  N(M4E  N(mE  NCH4E  NONE 

VALVE  STATUS  INPUTPRESS  INPUT  FLOW  OUTPUTFRESS  OUTPUT  FLOW 
SAFETIES  OPEN  NORM  NORM  NORM  NORM 


PLANT  STATUS-BOILER 

BOILER  STEAM  I»UM  WATER  LEVEL:  N(»M  BOILER  STEAM  I»UM  PRESSURE:  UFT  SAFE  HI 

BOILER  STEAM  mUM  FLOW  IN:  N(»M  BOILER  STEAM  DRUM  FLOW  OUT:  NORM 

BOILER  STEAM  DRUM  TEMP:  N(»M 

BOILER  WATER  mUM  FLOW  IN:  NORM  BOILER  WATER  DRUM  FLOW  OUT:  NORM 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT:  N(»M 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  NORM 

DESUPERHEATER  FLOW  IN:  NONE  DESUPERHEATER  FLOW  OUT:  NONE 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  NORM 

GENERATION  TUBES  FLOW  IN:  NORM  GENERATION  TUBES  FLOW  OUT:  N(»M 

GENERATION  TUBES  RUPTURE:  FALSE  GENERAHON  TUBES  TEMP:  NORM 

FURNACE  DECK  STATUS:  NO  FUELjON  DECK  FIRING  RATE:  NORM 
BOILER  EXPLOSION:  FALSE  PERISCCVE:  CLEAR 

FIRES  UT:  IRUE  FIRE  APPEARANCE:  FAN.SHAPED 

mnniwiiimminiiimmiminminummmimwimimimiHmminmiiiiiniiiimiimiiiiiiiiiiiiiiiiiiiiiii 


VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

VSH  SHUT  LQT.SAFE.HI  N(»M  NONE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

SAFETIES  OPEN  LIFT_SAFE_HI  NORM  LIFT_SAFE_HI  NORM 

n^LNT  STATUS-BOILER 

BOILER  STEAM  mUM  WATER  LEVEL:  NORM  BOILER  STEAM  IXLUM  PRESSURE:  HIGH 

BIHLER  STEAM  DRUM  FLOW  IN:  NORM  BOILER  STEAM  DRUM  FLOW  OUT:  NORM 

B(ELER  STEAM  DRUM  TEMP.  NORM 

BCNLER  WATER  DRUM  FLOW  IN:  NORM  BOILER  WATER  DRUM  FLOW  OUT:  NOIM 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT:  NORM 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP  NORM 

DESUPERHEATER  FLOW  IN:  NONE  DESUPERHEATER  FLOW  OUT:  N(E4E 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP  NORM 

GENERATKW  TUBES  FLOW  IN:  NORM  GENERATKXf  TUBES  FLOW  OUT:  NORM 

GENERATTCm  TUBES  RUPTURE:  FALSE  GENERATION  TUBES  TEMP:  NORM 

FURNACE  IffiCK  STATUS:  NO  JUELjCm.DECK  FIRING  RATE:  NORM 

B(MLER  EXPLOSKW:  FALSE  PERISCOPE:  CLEAR 

FIRES  UT:  TRUE  FIRE  APPEARANCE:  FAN_SHAPED 

//////////////////////////////^^^^^^^ 
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VALVE 


STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 


SAFETIES  OPEN  HIGH  NORM  HIGH  NORM 

PLANT  STATUS-BOILER 

B(MLER  STEAM  DRUM  WATER  LEVEL;  N(»M  BOILER  STEAM  DRUM  PRESSURE:  NORM 

BOILER  STEAM  DRUM  FLOW  IN:  N(»M  BOILER  STEAM  EAUM  FLOW  OUT:  NORM 
BOILER  STEAM  IMUM  TEMP:  NORM 

BOILER  WATER  DRUM  FLOW  IN:  NORM  BOILER  WATER  I»UM  FLOW  OUT:  NORM 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT:  N(»M 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  NORM 

I»SUPERHSA1ER  FLOW  IN:  NONE  DESUmHEATER  FLOW  OUT:  NONE 

raaSUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  NORM 

GENERATION  TUBES  FLOW  IN:  NORM  GENERATION  TUBES  FLOW  OUT:  NORM 

GENERATION  TUBES  RUPTURE:  FALSE  GENERATION  TUBBS  TEMP:  N(HIM 


FURNACE  DECK  STATUS:  NO_FUEL.ON_DECK  FIRING  RATE:  N(«M 

BCHLER  EXPLOSION;  FALSE  PERISCXE>E:  CLEAR 

FIRES  LIT:  TRUE  FIRE  APPEARANCE-  FAN  SHAPED 


SAFETTBS  SHUT  NORM  NORM  NONE  NONE 


PLANT  STATUS-BOILER 

BCNLER  STEAM  DRUM  WATER  LEVEL:  NORM  BOILER  STEAM  DRUM  PRESSURE:  NC«M 

BCXLER  STEAM  IMUM  FLOW  IN:  NORM  BOILER  STEAM  DRUM  FLOW  OUT:  NORM 
BOILER  STEAM  DRUM  TEMP:  NORM 

BOILER  WATER  mUM  FLOW  IN:  NORM  BOILER  WATER  NIUM  FLOW  OUT;  NORM 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT;  N(»M 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  NORM 

I»SUPERHEATERFLOWlN:N(mE  ^SUPERHEATER  FLOW  OUT:  NONE 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP;  HIGH 

GENERATED  TUBES  FLOW  IN:  NORM  GENERATION  TUBES  FLOW  OUT:  NORM 

GENERATKWnraES  RUPTURE:  FALSE  CENERATT(»«  TUBES  TEMP:  NORM 


FURNACE  DECK  STATUS:  NO_FUELjCW.raCX  FIRING  RATE:  NORM 

BOILER  EXPLQSKH4:  FALSE  PERISCOPE:  CLEAR 

FIRES  UT:  TRUE  FIRE  ABPEARANCE:  FAN  SHAPED 


VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUTFLOW 
VSH  SHUT  NORM  NORM  NONE  NONE 
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VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
VSH  SHUT  HIGH  NORM  NONE  NONE 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 
SAFETIES  OPEN  N(»M  NORM  N(»M  N(»M 

PLANT  STATUS-BOILER 

B(HLER  STEAM  DRUM  WATER  LEVEL:  NORM  BOILER  STEAM  I»UM  PRESSURE:  UFT.SAFEJQ 
BOILER  STEAM  UtUM  FLOW  IN:  N(»M  BOILER  STEAM  I»UM  FLOW  OUT:  NORM 

BOILER  STEAM  DRUM  TEMP:  NORM 

BOILER  WATER  I«UM  FLOW  IN:  NORM  BOILER  WATER  I«UM  FLOW  OUT:  N(»M 

SUPERHEATER  FLOW  IN:  NCXIM  SUPERHEATER  FLOW  OUT:  NORM 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  NORM 

DESUPERHEATER  FLOW  IN:  NONE  DESUPERHEATER  FLOW  OUT:  NONE 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  HIGH 

GENERATION  TUBES  FLOW  IN:  NORM  GENERATION  TUBES  FLOW  OUT:  NOtM 

GENERATTCm  TUBES  RUPTURE:  FALSE  GENERATION  TUBES  TEMP:  NORM 

FURNACE  DECK  STATUS:  NO_FUELjON_DECK  FIRING  RATE:  NORM 
BOILER  EXPLOSION:  FALSE  PERISOCVE:  CLEAR 

FIRES  LIT:  TRUE  FIRE  APPEARANCE:  FANJSHAPED 

/////////////////////////////////////////////^^^^^^ 

VALVE  STATUS  INPUT  PRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  FLOW 

VSH  SHUT  LIPr_SAFE_HI  NORM  NONE  NONE 

VALVE  STATUS  INPUTPRESS  INPUT  FLOW  OUTPUT  PRESS  OUTPUT  PLOW 
SAFETTBS  WEN  UFTjSAFEjn  NORM  UFT.SAFE.HI  NWM 

VALVE  CTATUS  INPUT  PRESS  INPUTFLOW  OUTPUTFRESS  OUTPUTFLOW 

SAFETTBS  OPEN  HIGH  NORM  HIGH  NWM 

PLANT  STATUS-BOILER 

B(XLER  STEAM  nWM  WATER  LEVEL:  NORM  BCHLER  STEAM  DRUM  PRESSURE:  HIGH 

B(MLER  STEAM  DRUM  FLOW  IN:  NORM  BOILER  STEAM  DRUM  FLOW  OUT:  NORM 

B(RLER  STEAM  DRUM  TEMP:  NORM 

BCXLER  WATER  DRUM  FLOW  IN:  NWM  BOILER  WATER  MUM  FLOW  OUT:  NWM 

SUPERHEATER  FLOW  IN;  NORM  SUPERHEATER  FLOW  OUT:  NORM 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP;  NORM 

DESUPERHEATER  FLOW  IN;  NWIE  DESUPERHEATER  FLOW  OUT;  N(»IB 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  HIGH 

OENERATIWI  TUBBS  PLOW  IN:  NORM  GENERATION  TUBES  FLOW  OUT:  NWM 

GENERATKMf  TUBES  RUPTURE:  FALSE  GENERATION  TUBBS  TEMP;  NORM 
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PLANT  STATUS-BOILER 

BCHLER  STEAM  MUM  WATER  LEVEL:  NCHIM  BOILER  STEAM  MUM  PRESSURE:  NMM 
BOILER  STEAM  MUM  FLOW  IN:  NMM  BOILER  STEAM  MUM  FLOW  OUT:  NORM 

BOILER  STEAM  MUM  TEMP:  NMM 

BOILER  WATER  MUM  FLOW  IN:  NORM  BOILER  WATER  MUM  FLOW  OUT;  NORM 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT:  NMM 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  NORM 

DESUPERHEATER  FLOW  IN:  NONE  DESUPERHEATER  FLOW  OUT:  NONE 

DESUPERHEATER  RUPTURE:  FALSE  DESUreRHEATER  TEMP:  HIGH 

GENERATION  TUBES  FLOW  IN:  NORM  GENERATION  TUBES  FLOW  OUT:  NORM 

GENERATION  TUBES  RUPTURE:  FALSE  GENERATION  TUBES  TEMP:  NMM 


FURNACE  DECK  STATUS:  NO_FUEL_ON_DECK  FIRING  RATE:  NORM 

BOILER  EXPLOSIM;  FALSE  PERISCME:  CLEAR 

FIRES  UT:  TRUE  FIRE  APPEARANCE:  FAN.SHAPED 


AOLREG  OPEN  NORM  HIGH  NORM  HIGH 


PLANT  STATUS-BOILER 

B(XLER  STEAM  MUM  WATER  LEVEL:  NORM  BOILER  STEAM  MUM  PRESSURE:  NMM 

BMLER  STEAM  MUM  FLOW  IN:  NMM  BOILER  STEAM  MUM  FLOW  OUT:  NORM 
BCHLER  STEAM  MUM  TEMP:  NORM 

BOILER  WATER  MUM  FLOW  IN:  NORM  BCHLER  WATER  MUM  FLOW  OUT:  NORM 

SUPERHEATER  FLOW  IN:  NORM  SUPERHEATER  FLOW  OUT;  NORM 

SUPERHEATER  RUPTURE:  FALSE  SUPERHEATER  TEMP:  LOW 

DESUPERHEATER  FLOW  IN:  NORM  DESUPERHEATER  FLOW  OUT:  NORM 

DESUPERHEATER  RUPTURE:  FALSE  DESUPERHEATER  TEMP:  NORM 
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GENERATION  TUBES  FLOW  IN;  N(»M 
GENERATION  TUBES  RUPTURE:  FALSE 


GENERATION  TUBES  FLOW  OUT:  NORM 
GENERAIION  TUBES  TEMP:  NORM 


FURNACE  DECK  STATUS:  NO_FUEL  ON_DECK  FIRING  RATE.  NORM 

B(HLER  EXPLOSION:  FALSE  PERlSCa>E:  ORANGE 

FIRES  LIT:  IRUE  FIRE  APPEARANCE-  IRREGULAR 
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APPENDIX  C  (ADA/LISP  COMPARISON  CODE) 

ADA  CODE 


wiihTEXTJO; 

uaeTEXTJO; 

procedure  BOn£R_MODEL  is 


type  MEASUREMENT  VALUE  is  (OPEN.  SHUT.  HIGH.  NORM.  LOW.  NONE. 

HIGH  BUT  NOT_ALARM.  LOW  BUT_NOT_ALARM,  HIGH_ALARM. 
LOW  ALARM.  SAFETIES_LIFT_HIGH.DRAG_OFF_LINE_LOW. 
CLEAR.  ORANGE); 

typeINI£Xis(A  MSS.  A  ASS.  A  DESUP.IN.  A_SH_PROT_IN.  A_SAFET1ES. 

A  AIR  REG.  A  SHUTTERS.  A_FUEL_MAN.A_FOCV. 

a" PO  RECIRC.  FUEL_PUMP_DISCH.  A_FEED_ST0P.  A_FWCV. 

A~MAN  CHK.A_BLEED.AUG.FDB_IN.0NE_FIFTY_IN. 

SOOT  BLOW  SUP.PMAC  IN.ER  BLKHD.STOP, 

amr_blkhd_stop.  mfpIstm.sup); 

peckane  HO  is  new  INTEGERJO(INTEGER); 
use  DO; 

pKkan  INDEX.IO  is  new  ENUMERATIONJO(INDEX): 
nseDlraX_IO; 

package  MEASUREMENT_VALUE_IO  is  new 

ENUMERATIONJO(MEASUREMENT_VALUE); 
use  MEASUREMENT.VALUEJO; 

type  VALVE; 


type  VALVE_PTR  is  access  VALVE; 

type  CROSS  CHECKis«iay(A_MSS.JiffP_STM_SUP)of  VALVE.PTO; 
VALVE_LOC)K_UP:  CROSS.CHECK; 

type  VALVE_PTR_ARRAY  is  anay(L.l(I)  of  VALVE.PTR; 

type  VALVE  is 
record 

VALVEJD:fl®EX; 

UPSTREAM,  DOWNSTREAM;  VALVE  PTR_ARRAY; 

COUNTED:  BOOLEAN:-  FALSE; 

NEICT:  VALVE.PTR; 
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STATUS;  MEASUREMENT_VALUE:=  SHUT; 

INPUT:  MEASUREMENT_VALUE:=  NONE; 

OUTPUT:  MEASUREMENT_VALUE:*  NONE; 
endiecofd; 

VIRTUAL  SH  OUTLET:  VALVE  PTR:«  new  VALVE; 

ALPHA  MAIN  STEAM  STOP:  VALVE  PTR:»  new  VALVE; 

ALPHA”AUX  steam  STOP:  valve  PTR:=  new  VALVE; 
alpha” MSUPERHEATER  INLEP.  VALVE_PTR:=  new  VALVE; 
ALPHA”SUPERHEATER  protection  INLET:  VALVE_PTR:=  new  VALVE; 
alpha” SAFETIES:  VAL\nE_PTR:«  new  VALVE; 
alpha” AIR_REGISTERS:  VALVE_PTR.*«  new  VALVE; 
alpha” air  SHUTTERS;  VALVE  PTR:»  new  VALVE; 

ALPHA”FUa  MANIFOLD;  VALVE_PTR:=  new  VALVE; 

ALPHAIfUEL”OIL  control  VALVE:  VALVE_PTR:*  new  VALVE; 

ALPHA  FUEL”RECIRC;  VALVE  PTR-*  new  VALVE; 

FO  SVC  PUN#  DISCH:  VALVE_PTR:*  new  VALVE; 

ALPHA  FEED  STOP  VALVE;  VALVE  PTR;=  new  VALVE; 

ALPHA”FWCV:  VALVE_PTR:«  new  VALVE; 

alpha” manual  check  VLV:  VALVE_PTR:=  new  VALVE; 

alpha” BLEEDER:  VALVE  PTR:*  new  VALVE; 

AUGMHSTOR:  VALVE_PTR:«  new  VALVE; 

FDB  INLET:  VALVE  PTR:«  new  VALVE; 

CM«” FIFTY  INLET;  VALVE_PTR;»  new  VALVE; 

SOOT  BLOV^  SUPPLY:  VALVE  PTR:*  new  VALVE; 

PMAC”  INLET:  V7U-VE_PTR:=  new  VALVE; 

ER  BILKHEAD  STOP:  VALVE  PTR;»  new  VALVE; 

AK®  BULKHE>Q>  STCM*;  VALVE_PTR:»  new  VALVE; 

MFP  STM  SUPPLY:  VALVE_PTR:«  new  VALVE; 


TRACE.  REVISED.  REPROPAGATE.  GONE.THRU:  boolean:^  FALSE; 

type  BOILER  is 
leconl 

WATERJJEVEL:  MEASUREMENT.VALUE;-  NCffiM; 

STEAM  I»UM  PRESSURE.  SUFERHEATER.OUTLET.TEMP: 

MEASUREMENT  VALUE:- LOW; 

FUEL  PRESSURE.  AIR:  MEASUREMENT.VALUE:-  N(X4E; 
FIRE_STATUS:  BOOLEAN:-  FALSE; 
eodrecbnl; 


ALPHA^BOILER;  BOILER; 

-procedure  to  establish  valve  upstream/downstream  older 
procedure  ASSIGN_VALVE_^IDER  is 
begin 

VKTUAL  SH  0UTLET.D0WNSTREAM(1):-ALPHA_MAIN_STEAM_ST0P; 
virtual” SH”0UTLET.D0WNSTREAM0):»  ALraA_DESUPERHEATER_INLET; 
ALPHA  MAIN_STEAM  STOP.UPSTREAM(l):- VIRTUAL_SH_OUTLET; 

ALPHAIMAIN  STEAM_ST0PJX)WNSTREAM(1):-ER_BULKHEAD_ST0P; 
ALPHA_MAIN” steam  ST0P.D0WNSTREAM(2):-AMR_BULKHEAD_ST0P; 

ALPHA  MAIN" STEAM”ST0P.D0WNSTREAM(3):-MFP_STM_SUPPLY; 
ALPHAII)ESUPERHEATER_INLET.UPSTREAM(I):-  VIRTUAL_SH_0UTLET; 
ALPHA_DESUPERHEATER  inlet JX)WNSTREAM(1):-ALPHA_AUX_STEAM_ST0P; 
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ALPHA  IffiSUPERHEATER  INLETJX>WNSTREAM(2):*  ALPHA.BLEEDER; 
ALPHA'AUX  steam  ST0P.UPSTREAM(1):»  ALPHA_DESUraRHEATER_INLET; 
ALPHA“AUX"STEAM“ST0P.D0WNSTREAM(1):»  AUGMENTOR; 
ALPHA“AUX”STEAM”ST0P.D0WNSTREAM(2):*  FDB.INLET; 
ALPHA“AUX''STEAM~ST0P.D0WNSTREAM(3):=  0NE_FIFTY_INLET; 
ALPHA"AUX"STCAM"ST0P.D0WNSTREAM(4):*S00T_BU)WER_SUPPLY; 
ALPHA“AUX"STEAM”ST0P.D0WNSTREAM(5):«  PMAC_INLET; 

ALPHA~AIR  REGIST^.UPSTREAM(l):«ALPHA_AIR_SHinTERS; 

ALPHA“AIR~ SHUTTERSJ)0WNSTREAM(1):=  ALPHA_AIR_REGISTERS; 

ALPHA  FUEL  MANIFOLD.UPSTREAM(l):«  ALPHA_FUEL_OIL_CONTROL_VALVE; 
ALniA  FUEL  OIL  CXWTROL  VALVE.UPSTREAM(1):«  FO_SVC_PUMP_DISCH; 
ALraA“FUEL"OIL~CX)NTROL_VALVE.DOWNSTREAM(l);= 

AIJ»HA  RJEL"  MANIFOLD; 

ALraA  FUEL  OIL  CONTROL  VALVEJLiOWNSTREAM(2).-«  ALPHA_FUEL_RECIRC; 
ALPHAJFUEL  MC»C.UPSTREAM(1):«  ALPHA_FUEL_0IL_C0NTR0L_VALVE; 
ALPHA_FUEL”RECIRC.UPSTREAM^):»  ALPHA_FUEL_MAN1F0LD; 

FO  SVC  PUMP  DISCHIX)WNSTREAM(1):«  ALPHA_FUEL_OIL_CONTROL_VALVE; 
AU^_FEED  StCM»  VALVE.DOWNSTREAM(l):»  ALPHA.FWCV; 

ALPHA  FWCV.UPSTOEAM(l):»ALPHA_FEED_STOP_VALVE; 
ALra[AJFWCVJX)WNSTREAM(l):»  ALPHA_MANUAL_CHECK_VLV; 
ALPHA_MANUAL  CHECK_VLV.UPSTREAM(1):«  ALPHA_FWCV; 

ALPHA  BLEEraR.UPSTREAM(l):>  ALPHA_E£SUPERHEATER_INLET; 
AUGM0<TOR.UPSTREAM(1):-  ALPHA_AUX_STEAM_STOP; 

FDB  INLET.UPSTREAM(l):-  ALPHA  AUX_STEAM_STCX>; 

0NE"FIFTY  INL£T.UPSTREAM(1):»ALPHA_AUX_STEAM_STCM>; 

SOOf  BLOU^  SUPPLY.UPSTREAM(1):«ALPHA_AUX_STEAM_ST0P; 

PMAC  INLET.UPSTREAM(1):«  ALPHA  AUX_STEAM_STCM^ 

ER  BIRJCHEAD  STW.UPSTREAMd):-  ALKIA_MAIN_STEAM_STOP; 

Afcfll  BULKHEAD  STOP.UPSTREAM(I):«  ALPHA_MAIN_STEAM_STOP; 
MFP3TM_SUPPLY.UPSTREAM(1);«  ALPHA_MAIN_STEAM_ST0P; 

end  ASSIGN.VALVE.ORDER: 


-procedure  lo  "tmt  up”  a  boikr 
procedure  UGHT.CXT  is 
begin 

ALPHA.B0ILER.STEAM_DRUM_PRESSURE:«  NORM; 
ALPHA JIOILER^UPERHEATER  OUTLET.IEMP:- NORM; 
ALPHA  BOILERJUEL_PRESSURE-NORM; 

ALPHA  BOILER^:- NORM; 
ALPHA_BOILEREIR£_STATUS:-  TRUE; 

endUGHT.OFF; 

-procedure  to  put  boiler  on  the  line  and  align  valves 
procedure  INTTIALIZE.PLANT  is 
CURRENT:  VALVE_FTR:»  ALPHA_MAIN_STEAM_STOP; 
begn 

ASSIGN  VALVE_ORDER; 

LI0HT_5FF; 
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VIRTUAL  SH  OUTLET.STATUS:=OPEN; 

VIRTUAL.SH  OUTLET.INPUT:=  NORM; 

ALPHA  MAIN_STEAM_STOP.STATUS:=OPEN; 

ALPHA  MAIN_STEAM_STOP.NEXT:=  ALPHA  AUX  STEAM.STOP; 

ALPHA  AUX.STEAM  STOP.STATUS:=  OPEN;' 

ALPHA  AUX  STCAM_STOPJ'^EXT:=  ALPHA  DESUPERHEATER_INLET; 
ALPHA  DESUPERHEATER_INLET.STATUS:=OPEN; 

ALPHA  DESUPERHEATER  INLETJ<EXT;= 

ALPHA_SUPERHEATER_PROTECTION_INLET; 

ALPHA  SUPERHEATCR.PROTECnON  INLET.STATUS:=  SHUT; 
ALHIA'SUPERHEATER  PROTECnON_INLETJ^XT:=  ALPHA.SAFETIES; 
ALPHA  SUreRHEATER  PROTECTION_INLET.INPUT:=  NORM; 

ALPHA  SAFETIES.STATUS:-  SHUT; 

ALPHA  SAFETIES.NEXT;*  ALPHA  AIR.REGISTERS; 

ALPHA  SAFETIES.INPUT;=NORMr 
ALPHA  AIR  REGISTERS.STATUS:*OPEN; 

ALPHA  AIR'REGISTERS.NEXT:»ALPHA_AIR  SHUTTERS; 

ALPHA  AIR  SHUTTERS^TATUS:«OPEN; 

ALPHA  AIR  SHUTTERS  J^XT:«  ALPHA  FUEL.MANIFOLD; 

ALPHA  AIR"SHUTTERSJNPUT:-N0RM; 

ALPHA  FUEL  MANIFOLD.STATUS:- OPEN; 

ALPHA  FUEL  MANIFOLD.NEXT:«  ALPHA_FUEL_OIL  CONTROL.VALVE; 
ALHIA  FUEL  OIL_CONTROL_VALVE.STATUS:«  OPEN; 
ALHIA.FUEL.OIL  CONTROL  VALVEJ'JEXT:.  ALPHA  FUEL.RECIRC; 
ALPHA_FUEL_RECIRCSTATUS:*  SHUT; 
ALPHA_FUELJlECIRCJIEXT:-PO  SVC_PUMP_DISCH; 
PO_SVC_PUMP_DISCH.STATUS:«  OPEN; 

FO_SVC_PUMP_DISCHJNEXT:-  ALPHA  FEED  STOP  VALVE; 
PO_SVC_PUMP_DISCH  JNPUT:- NORM; 

ALPHA_FEED_STOP  VALVESTATUS:»  OPEN; 
ALPHA_FEED_STOP_VALVEJ^XT:«  ALPHA_FWCV; 

ALPHA  J!EED_STOP_VALVEINPUT:«  NORM; 

ALPHAJ^CV^TATUS:*  OPEN; 

ALPHA_FWCVJ4EXT:«  ALPHA  MANUAL  CHECK  VLV; 
ALPHA_MANUAL_CHECK  VLV^ATUS:- OPEN; 
ALPHA_MANUAL_CHECK_VLVJ4EXT:»  ALPHA  BLEEDER; 
ALPHA_BLEEDER  STATUS:-  SHUT; 

ALPHA_BLEEI^^XT:-  AUGMENTOR; 

AUGMENTOR^ATUS:-  (X>EN; 

AU0MENTC«J4EXT:-FDB  INLET; 

FDB_INLEr^ATUS:»  CMW; 

FDB_INLET JIEXT:»  (X^E  FIFTY  INLET; 

Cy<E_FIFrY  INLET^TATtJS:-OPEN; 

(WEJTFTY.INLETJ^EXT:-  SOOT  BLOWER  SUPPLY; 
S00T_BL0WER_SUPPLY.STATUS~»0PEN;  " 
SOOT_BLOWER_SUPPLYJ<EXT:*PMAC  INLET; 

PMAC.INLET^ATUS:-  SHUT; 

PMAC  INLETJffiXTr-ER  BULKHEAD.STCH*; 
ER_BULKHEAD_STCM*^ATUS:«  OPEN; 

ER_BULKHEAD_STOPJIEXT:»  AMR_BULKHEAD_STOP. 
AMR_BULKHEAD  STOP.STATUS:-OPEN; 
AMR_BULKHEAD_STCX>J4EXT:>  MFP  STM.SUPPLY; 
MFP_STM_SUPPLY.STATUS:-0PEN;  ' 
for  i  in  A_MSS..MFP  STM  SUP  loop 
CURRENT.VALVE  ID>~i; 

VALVE_LOOK_UI^i):«  CURRENT; 

CURRENT:-  CURRENTJ^EXT; 

Old  loop; 

end  INTffiMJZE.PLANT; 


113 


-procedure  to  provide  trace  to  user 

procedure  SHOW_VALVE_STATUS  (AFFECTED:  in  out  VALVE_PTR)  is 
CURRENT:  VALVE_PTR:=  ALPHA_MAIN_STEAM_STOP; 


b^in 

PUTCVALVE"); 

SET_COL(30); 

PUTC'STATUS’O; 

SET_OOL(40); 

PurriNPUTO; 

SET_OOL(60); 

PUT_LINECX)UTIWO; 

PUT(“ — -); 

SET_COL(30); 

pure* — ”); 

SET_COL(40); 

pure* — *0; 

SET_OOL(60); 

pure* - "): 

NEWJLINE(2); 

while  CURRENT /*  null  lo(q) 

PUT(CURRENT.VALVE_ID): 

SET_COL(30); 

PUT(CURRENT.STATUS); 

SET  COL(40); 

PUT(CURRENTJNPUT); 

SET_COL(60); 

PUT(CURRENT.OUTPUT); 
if  CURRENT  a  AFFECTED  then 
SET_COL(70); 

PUTC^^CHANGE**"); 
end  if; 

NEWJJNE; 

CURRENT:-  CURRENTJ^EXT; 
end  loop; 

PUTjSffir - "); 

PinLLINET///////////^^^^^^^ 

PUTJJNET - ”): 

NEW  LINE(2) 

end  SHOW_VALVE_STATUS; 

-procedure  to  check  if  there  is  still  flow  in  a  system  after  a  valve  status  change. 

-If  not,  an  oveipiessurization  will  result 

procedure  CHECK_FOR_FLOW(VALVE_IN:  in  out  VALVE.PTR;  FLOW:  in  out  BOOLEAN)  is 
COUNT,  COUNT2:  NATURAL:-  1; 


begin 

v5iVE_IN.COUNTED:-  TRUE; 

if  VALVE_IN.STATUS  -  OPEN  and  VALVE_IN.DOWNSTREAM(l)  -  nuU  then 
FLOW:- TRUE; 


else 

if  VALVE_IN.STATUS  -  OPEN  then 

while  VALVE.IN  JX)WNSTREAM(COUNT)  ^  nuU  and  FLOW  -  FALSE  loop 
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if  VALVE  IN.DOWNSTREAM(COUND.COUNTED  =  FALSE  then 
CHECK_FOR_FLOW(VALVE_IN.DOWNSTREAM(COUND.  FLOW); 
end  if; 

COUNT:*  COUNT  + 1; 
end  loop; 
end  if; 

if  FLOW*  FALSE  then 

while  VALVE  IN.UPSTREAM(COUNT2)  /*  null  and  FLOW  *  FALSE  loop 
CHECK  FOR_FLOW(VALVE  IN.UPSTREAM(COUNT2).  FLOW); 
COUNTS:*  COUNT2  + 1; 
end  loop; 
end  if; 
end  if; 

end  CHECK_FOR_FLOW; 

-pioceduie  to  create  the  overpressurization  if  there  is  no  flow 
procedure  OVERPRESSURE(AFFECTED:  in  out  VALVE_PTR)  is 
COUNT,  COUNT2:  NATURAL:*  1; 
begin 

AFFECTED.INPUT:*  HIGH; 
if  IRACE  *  TRUE  then 
SHOW_VALVE_STATUS(AFFECTED); 
end  if; 

while  AFFECrED.UPSTREAM(COUNT)  h  nuU  loq) 
AFFECIED.UPSTREAM(COUNT).OUTPUT:*  HIGH; 

whUe  AFFECTED.UPSTREAM  (COUNT)J)OWNSTREAM(COUNT2)  /=  null  loop 
if  AFFECTED.UPSTREAM(COUNT).DOWNSTREAM(COUNT2)  JNPUT  /= 
HIGH  then 

OVERPRESSURE(AFFECTED.UPSTREAM(COUND.DOWNSTREAM 

(COUNT2)); 

end  if; 

COUNTi*  COUNT2  + 1; 
end  loop; 

if  AH®CTED.UPSTREAM(COUNT).STATUS  *  OPEN  dien 
OVERPRESSURE(AFFECTED.UPSTREAM(COUNT)); 
end  if; 

COUNT:*  COUNT  + 1; 
end  loop; 

endOV&PRESSURE; 


-procedure  to  ensure  proper  propagation  of  valve  inputAnitputs 

procedure  PR(M»AGATE_VALVE_VALUES  (AFFECTED;  in  out  V  ALVE.PTR)  is 

COUNT:  NATURAL:*  1; 

FLOW:  BOOLEAN:*  FALSE; 

CURRENT:  VALVE.PTR:*  ALPHA_MAIN_STEAM_STOP; 

if  AFFECTED.STATUS  *  OPEN  then 
AFFECTED.OUTPUT:*  AFFECTED.INPUT; 


ns 


if  IKACE  s  IHUE  then 
SHOW_VALVE_STATUS(AFFECTED); 
end  if: 
dae 

AFFECIED.OUTPUT:=  NONE; 
if  IHACE  «  TRUE  then 
SHOW_VALVE_STATUS(AFFECTED); 
end  if; 

CHECK  FOR_FLOW(AFFECrED.FLOW); 
if  FLOW  «  FALSE  then 
OVERPRESSURE(AFFECTED); 
end  if; 

while  CURRENT  h  null  loop 
CURRENT.COUNTED:=  FALSE; 

CURRENT:*  CURRENT  J4EXT; 
cndlotq); 
end  if; 

while  AFFECTED.DOWNSTREAM(COUNT)  M  null  loop 
AFFECTED  JX)WNSTREAM(COUNT)JNPUT:=  AFFECTED.OUTPUT; 
PROPAGATE  VALVE  VALUES(AFFECTED.IX)WNSTREAM(COUND): 
COUNT:*  COUNT +1; 
end  loop; 

end  PROPAGATE_VALVE_VALUES; 

-start  iqtdating  boiler  status  once  a  valve  propagation  has  been  completed 
procedure  ALPHA_BOILER_UPOATE  is 
begin 

ALniA  BOa£R J^UEL  PRESSURE:*  ALPHA  FUEL  MANIFOLD.OUTPUT; 
ALPHA_BOILER^:»ALPHA_AIR  REG1STERS.OUTPUT; 
if  ALPHA_B01L£REUEL_PRESSURE  *  NONE  then 
ALPHA_B01LERJ=IRE_STATUS:*  FALSE; 
end  if; 

if  ALPHA_BOILEREIRE_STATUS  «  FALSE  AND  GONE.THRU  *  FALSE  then 
ALPHA_BOILER^TEAM  DRUM  PRESSURE:*  LOW; 
ALPHA.BOILER^UPERHEATER  OUTLET_TEMP:«  LOW; 
ifALPHA_MAIN_STEAM  STOP^ATUS  *  OPEN 

or  ALPHA  DESUPERHEATER  INLET.STATUS  *  O^N  »ben 
REFROPAGATE:*  TRUE; 
end  if; 

GONE_THRU:*TRUE; 

endtf; 

case  ALPHA_MANUAL_CHECK_VLV.OUTPUT  is 
wiiraNCXlM*> 

ALPHA_BOILERWATER_LEVEL:*  NORM; 
whenNC^4E*> 

ALPHA_BOILERWATER_LEVEL:»  LOW.ALARM; 
when  LOW*> 

ALPHA_BOILER  WATER_LEVEL:*  LOW_BUT_NOT_ALARM; 
when  HIGH*> 

if  ALPHA_MAIN_STEAM_STOP^TATUS  *  SHUT  and 

ALPHA.DESUPERHEATER  1NLET.STATUS  *  SHUT  then 
ALFHA.BOILERWATER  LEVEL:*  HIGH  ALARM; 
else 
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ALPHA_BOILER.WATER_LEVEL:=  fflGH_BUT_NOT_ALARM; 
end  if; 

wiienothasB> 
nuU; 
end  esse; 

if  VIRTUAL  SH  OUTLET.INPUT  =  fflGH  then 
ALPHA_BOILER.STEAM_DRUM_PRESSURE:=  SAFETIES_LIFT_HIGH; 
end  if; 

ALPHA  SAFETIES.INPUT;»ALPHA_BOILER.STEAM_DRUM_PRESSURE; 
if  ALPHA^SAFETES  JNPUT  =  S  AFETIES_LIFT_HIGH  then 
ALPHA_SAFETIES.STATUS:=  OPEN; 
else 

AU»HA_SAFETIES.STATUS:«  SHUT; 
end  if; 

if  ALPHA_BOILER.STEAM  DRUM  PRESSURE  s  SAFETES.LIFT.HIGH  and 
(ALPHA  MAIN  STEAM.STOP^TATUS  =  OPEN  or 
ALPHA  DESUIERHEATBR_lNLET.STATUSs  OPEN)  then 
if  ALPHA_BOE£RJPIRE  STATUS  «  FALSE  then 
ALPHA_BOILER.SlEAM_DRUM_PRESSURE:s  LOW; 
ete 

ALPHA_BOILER^TEAM_DRUM_PRESSURE;=  NORM; 
end  if; 

REPROPAGATE:«  TRUE; 
end  if; 

VIRTUAL_SH_OUTLETJNPUT:=  ALPHA_BOILER.STEAM_DRUM_raESSURE; 
end  ALHIA.BOILER.UPDA’IE; 

-procedure  id  display  current  or  revised  status  of  fireroom  equipment 
procedure  STATUS.DISFLAY  is 
begin 

if  REVISED  then 

PUT_LINECThe  frrilowing  is  the  revised  status  of  your  plant:”); 
else 

PUT_LINE(”Tlie  fdlowing  is  the  current  status  of  your  jdant:”); 
end  if; 

NEWJJNEO); 

SET.OOL^; 

PUrriA  BOILER”); 

SETjOOL(4<J); 

pure* - ”); 

NEW  LINE; 

PUTC^WATER  LEVEL"); 

SET.OOLCW); 

PUT(ALPHA_BOILER.WATER  LEVEL); 

NEWJJNE; 

PUTfSTEAM  DRUM  PRESSURE”); 

SET_OOL(4<)); 

PUT(ALPHA^BOILER.STEAM_DRUM_PRESSURE); 

NEW_LD^ 

PUTfSUPERHEATER  OUnETTEMP”); 

SBT.OOLC-W); 

PUll(ALPHA_BOILER.SUPERHEATER_OUTLEr_TEMP); 

NEWJJNE; 

PUTTFUEL  PRESSURE!; 
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SETjCOUm; 

PUT(ALPHA  BOILERJUEL_PRESSURE); 

NEWJJNE; 

PUTCXOMBUSTION  AIR”); 

SEr_COL(4Q); 

PUT(ALPHA_BOILER.AIR); 

NEWJJNE; 

PUTfSTATUS  OF  FIRES"); 

SET_COL(40); 

if  ALPHA  BOILERJIRE  STATUS  thra 

PurruTO; 

else 

FUTCNOTUD; 
end  if; 

NEW_LINE(2); 
end  STATUS.DISPLAY; 

-main  propagation  procedure 

procedure  PROPAGATE  (V ALVE_IN:  in  out  VALVE_PTR)  is 
CURRENT:  VALVE_PTR:=  ALPHA_MAIN_STEAM_STOP; 

STATUS_DISPLAY; 

FUTC*FoDowing  is  a  valve  status  list”); 

NEWJ,INE(2); 

PUTCVALVE”); 

SET_COL(20); 

PUT_LINErSTATUS”); 

CURRENT /■  null  loop 
PUr(CURRENT.VALVE_ID); 

SET_COL(20); 

PUT(CURRENT^TATUS); 

NEWJJNE; 

CURRENT:-  CURRESTJiEXT; 
end  loop; 

NEWJJNE(2); 

PUT(VALVE_IN.VALVE_ID); 

PUTJJNEC*  status  has  been  changed.  Plx^tagation  undenvay."); 
NEWJJNE; 

if  V  AL  VE_IN.STATUS  «  OPEN  then 
VALVE.IN.STATUS:-  SHUT; 

VALVE_IN.OUTPUT:«  NONE; 
else 

VALVE_IN.STATUS:-  OPEN; 
end  if; 

PROPAGATE_VALVE_VALUES(VALVE  IN); 
ALPHA_BOILER_UPDATE; 

REVISED:- TRUE; 

STATUS_DISPLAY; 
if  REPROPAGATE  -  TRUE  then 
PROPAGATE_VALVE_VALUES(VIRTUAL_SH_OUTLET); 
end  if; 

REPROPAGATE:-  FALSE; 
endPROPAGAlE; 
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-start  the  main  jKocedure  here 

INITIALIZE  PLANT; 

FRCPAGATE  VALVE  VALUES(VIRTUAL_SH_OUTLET); 
PR0PAGATE"VALVE  VALUES(ALPHA_AIR_SHmTERS); 
PR(»»AGATE”VALVE  VALUES(F0_SVC_PUMP_DISCH); 
PROPAGATEIvALVE_VALUES(ALPHA_FEED_STOP_VALVE); 
TOUE" 

propagate(aLpha_fuel_oil_control_valve); 

PR(M»AGATE(ALPHA  DESUPERHEATER_INLET); 
PRCH»AGATE(ALPHA_MAIN_STEAM_ST0P); 
endBOILER_MODEL: 
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LISP  CODE 


(defstnia  valve 
valve-id 
ivstieam 
downstream 
counted 
next 
atanw 
input 
output) 

(defvar  *viitual-sh-outlet*  (make-valve 
:upstieamnil 

.‘downstream  ‘(*alidia-main-steam-stop* 
*alpna-desuperheater-infet*) 

:stanis  ‘c^n 
:counted  ‘false)) 

(defvar  *alpha-main-steam-stop*  (make-valve 

:valve-id  ‘a-mss 
:upstream  ‘(*viitual-sh-outlet*) 

:downstream  *(*er-bulkhead-s^* 
*amr-bulkhead-st(^* 
♦m^son-supply*) 

:counted  ‘false)) 

(defvar  ^alpha-aux-steam-stop*  (make-valve 

;valve-id  ‘a-ass 

:upsiream  ‘(*alpha-desuperheatar-inlet*) 
:downstream  ‘(*augmentm*  *fdb-inlet* 
•ooe-nfly-inlet* 

*soot-blower-suH)ly*  *pmac-inlet*) 
:counted  ‘false)) 

(defvar  *alpha-desuperfaeater-inlet*  (make-valve 

:valve-id  'a-deslq^in 
:upstream  *(*virn>al-sh-otttlet*) 

:downstream  *(*alpha-aux-steam-stop* 
*al{^-bleeder*) 

‘.counted  ‘false)) 

(defvar  *alpha-superlieater-ptotection-inlet*'  (make-valve 

:valve-id  ‘a-sh-prot-in 
.‘upstream  nil 
rdownstream  nil 
.‘counted  ‘false)) 


(defvar  *alpha-safeties*  (make-valve 

:valve-id  ‘a-safeties 
.’upstream  nil 
:downstream  nil 
:counted  ‘false)) 
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(defvar  *alpha*air^gisteis*  (make-valve 

:valve-kl  ‘a-air-ieg 
:i]pstream  ‘(^alpha-air-shutters*) 

:downstream  nil 
.‘counted  ‘false)) 

(defvar  ^aliriia-air-shutters*  (make-valve 

:valve-id  ‘a-shutters 
:upstreamnil 

:downstream  ‘(*alpha-air-iegisters*) 

:counted  ‘false)) 

(d^ar  *alpha-fiiel-manif(dd*  (make-valve 

:valve-id  ‘a-fuel-man 

:upstream  ‘(*alpha-fuel-oil-c(MitiDl-valve*) 
:(townstream  nil 
xounted  ‘false)) 

(defvar  *alpha-fuel-oil-control-valve*  (make-valve 

:valve-id  ‘a-focv 

:upstream  ‘(^fo-svc-pump-disch*) 
:downstream  ‘(*aIpha-fueI-manifold'* 
*alpha-fuel-recirc*) 
.‘counted  ‘false)) 

(defvar  *alpha-fuel-Tecifc*  (make-valve 

:valve-id  ‘a-fo-tecirc 

:upstieam  ‘(*alpha-ft^-oil-control-valve* 
*alpha-fuel-manifold*) 

:downstieam  nil 
xounted  ‘false)) 

(defvar  ^fo-svc-pump-disch*  (make-valve 

:valve-id  ‘fuel-pump-disch 
nipstieam  nil 

:downstream  *(*a]^)ha-fuel-oil-contiol-valve*) 
rcounted  ‘false)) 

(defvar  *alpha-feed-stop-valve*  (make-valve 

n«lve-id  *a-feed-st(^ 
mpstieamnil 

rdownstieam  *(*alpha-fwcv*) 

:counted  ‘false)) 

(dd'var  *alpha-fwcv*  (make-valve 
:valve-id  ‘a-fwcv 

:iq>str6am  *(*ali4ia-feed-stop-valve*) 

:downsiieam  ‘(*alpha-manual-check-vlv*) 

.‘counted  ‘false)) 

(defvar  *alpha-manual-check-viv*  (make-valve 

:valve-id  ‘a-man-chk 
:upstieam  ‘(*alpiia-fwcv*) 
rdownstream  nil 
:countBd  ‘false)) 
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(defvv  *alpha-bleeder*  (make-valve 

:valve-id  ‘a-bleed 

:q>stieam  ‘(*alpha-desuperheater-inlet*) 
rdownstream  ml 
:coun(ed  ‘false)) 

(defvar  *auginentor*  (make-valve 
:valve-id  ‘aug 

rupstream  ‘(^aliriia-aux-steam-stop*) 
rdownstieam  nil 
:counted  ‘false)) 

(ddvar  *fdb-inlet*  (make-valve 
:valve-id  ‘fdb-in 

:iqistteam  ‘(^alpha-aux-steam-stop*) 

:downstieam  nU 
:counted  ‘false)) 

0 

j 

(defvar  *one-fifty-inlet*  (make-valve 

:valve-id  ‘one-fifty-in 
:upstfeam  ‘Calpha-aux-steam-stop*) 

.‘downstream  nil 
:counted  ‘false)) 

(defvar  *soQt-blower-supply*  (make-valve 

:valve-id  ‘soot-bk)w-sup 
‘.upstream  ‘(*alpha-aux-steam-stop*) 

:downstieam  nil 
.‘counted  ‘false)) 

(defvar  *pmac-inlet*  (make-valve 

:^ve-id  ‘pmac-in 

:upstream  ‘(*alpha-aux-steam-stop*) 

:downstreamnu 
:countBd  ‘false)) 

(defvar  *er-bulkhead-stop*  (make-valve 

:valve-id  ‘er-bOdid-stop 
:u|»tream  ‘(^a^iha-tnain-steam-stap*) 

:downttieam  nU 
:ooonied  ‘false)) 

(defw  *amr-bulkbead-stop*  (make-valve 

:valve-id  ‘amr-blkhd-stop 
:up8tream  ‘(^alpha-main-Aeam-stop^) 

‘.dowiKtream  nil 
rcounted  ‘false)) 

>1 

(defvar  *mfp-stm-supply*  (make-valve 

.‘valve-id  ‘mfjp-stm-stq> 

:upstream  ‘(*al^-niain-steam-st(qy*) 

‘.downstream  nu 
:couniBd  ‘false)) 

# 
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(defstnict  boiler 

water-level 

steam-dnim-ixessiire 

aipeitaeater-outlet-temp 

fuel-pressure 

air 

fire-status) 

(defvar  *alpha-boiler*  (make-boiler 

:wai»’-level  ‘nonn 
:steam-drum-ptessure  ‘low 
:superbeater-outlet-temp  ‘low 
.'fuel-pressure  ‘none 
:air  ‘none 
:fire-status  ‘false)) 

(d^im  light-off  0 

(s^  (boiltf-steam-drumivessure  *alpha-boiler*)  ‘noim) 

(setf  (boiler-superheater-outlet-tKap  *alpha-boiler*)  ‘norm) 

(self  (boUer-fuel-pressuie  *alpha-boikr*)  ‘norm) 

(setf  (boiler-air  *dpha-boiler*)  ‘norm) 

(setf  (boiler-fire-stauis  *alpha-boiler*)  ‘true)) 

(defun  initialize-plant  0 
(light-ofi) 

(a^  (valve-input  *vittual-sh-outlet*)  ‘norm) 

(setf  (valve-status  *alpha-m^-steam-stop*)  ‘open) 

(setf  (valve-next  *alpiia-main-steam-stop*)  *a]pha-aux-steam-stt^*) 
(setf  (valve-status  *alpha-aux-steam-^(^)  ‘q)en) 

(self  (valve-next  *alpha-aux-steam-stop*)  *al^-desiq«heater-inlet*) 
(setf  (valve-siauis  *alpha-desupeibeater-inlet*)  ‘open) 

(self  (valve-next  *alim-desupetheater-inlet*) 


*atoha-safeties*) 

(self  fviuve-input  *aIpfia-siq)ertieater-ptotection-in]et*)  ‘nonn) 

(self  (valve-status  *an)ha-8afeties*)  ‘snut) 

(setf  (valve-next  *alpna-safeties*)  *alite-air-iegisiBrs*) 

(self  (valve-inpot  *alplia-safeties*)  'nonn) 

(self  (vahre-staius  *alplia-air-r^isters*)  ‘open) 

(setf  (valve-next  *aIpna-airHegis(Bts*)  *alplia-air-shutters*) 

(setf  (valve-status  *alpha-air-drattera*)  'open) 

(setf  (valve-next  *alp(ia-air-shottos*)  *a9ha-fuel-manifoId*) 

(setf  (vahre-nqMit  *aiplia-air-shutten*)  ‘norm) 

(setf  (valve-status  *amha-fuel-inanifokl*)  ‘open) 

(setf  (valve-next  *alpna-fud-manifold*)  *alpha-fbeI-oil-contnd-valve*) 
(setf  (valve-status  *ahiha-fuel-oil-coatr(^valve'*)  ‘open) 

(setf  (valve-next  *alpna-fdel-<Hl-caatn)l-valve*)  *a^ha-fueI-ieciTC*) 
(setf  (valve-status  *ata)lia-fbel-feciic*)  ‘shut) 

(smf  (valve-next  *ah)na-fiKl-feciic*)  *fo-svc-punq>-discb*) 

(setf  (valve-status  *fo-svc-pomp-disch*)  ‘open) 

(setf  (valve-next  *fb-svc-pump-disch*)  *a9ha-feed-stop-valve*) 

(setf  (valve-inpat  *fb-svc-]iumi>-d8ch*)  ‘norm) 

(setf  (valve-status  *alpha-feed4top-valve*)  ‘open) 

(setf  (valve-next  *alpna-feed-stop-valve*)  *alpha-fwcv*) 

(setf  (valve-inpat  *aqilia-feed-stQp-valve*)  ‘norm) 

(setf  (vaWe-status  *a^pha-fwcv*)  ‘open) 


(setf  (valve-next  "‘alpha-fwcv*)  *alpfaa-inanual-€heck-vlv*) 
(s^  (valve-Matus  *upiia-inaniial-clieck-vlv*)  ‘open) 

(self  (valve-next  *alpha-inanual-check-vlv*)  *alpha-bleeder*) 
(aetf  (valve-status  *dpha-bleeder*)  ‘shut) 

(self  (valve-next  *alpaa-bleeder*)  *augmentor*) 

(self  (valve-status  *augmeni(v*)  ‘open) 

(setf  (valve-next  *augmmtor*)  *fdb-iiilet*) 

(self  (valve-status  *fdb-inlet*)  ‘open) 

(setf  (valve-next  *fdb-inlet*)  *one-fiAy-inlet*) 

(self  (valve-status  ^one-fifty-inlet*)  ‘open) 

(self  (valve-next  *aiie-fifty-ude^)  *soot-Mower-supply*) 
(self  (valve-status  *soot-blower-supply*)  ‘open) 

(self  (valve-next  *aoat-blower-supply*)  *pinac-inlet*) 

(self  (valve-stauis  *pmac-inlet*)  '^ut) 

(setf  (valve-next  *pmac-inlet*)  *er-bdkhead-stop*) 

(setf  (valve-stauis  *er-bulkhead-stop*)  ‘open) 

(self  (valve-next  *er-bulkhead-siop*)  *amr-bulkhead-suv*) 
(self  (valve-status  *anu’-bulkhead-sti^)  ‘open) 

(setf  (valve-next  *amr-bulkhead-st(^)  *mf^stm-siq)ply*) 
(setf  (valve-status  *mfp-stin-supply*)  ‘open) 

“idant  initialized^ 


(defiin  show-valve-status  (affected) 

(format  t 

‘--%VALVE-3()lSTATUS-40tINPUT-60lOlJTPUT--% - 30t - 40t - 60t 

(do  ((cunent  *alpha-main-steam-stop*  (valve-next  current))) 

((eq  content  i^)  ‘That’s  all  folksl'O 
(format  t 

“-♦-SOt’a  40t-^‘60t—a** 


(valve-valve-id  cunent) 

(valve-status  current) 

(valve-input  current) 

(valveoutrat  current)) 

(if  (equal  (vdve-valve-id  cunent)  (valve-valveid  (eval  affected))) 
(format  t 

‘‘-30t**CHANGE**-%’0 
(format  t 
“-*"))) 

(format  t 

« - %-) 

(format  t 


(fonnatt 


•%”)) 


(defim  cliedt-for-ftow  (valve-in  flow-status) 

(setf  (valve-oounted  (eval  valve-in))  ‘true) 

(when  (or  (equal  (valve-status  (evd  valve-in))  ‘shut) 

(not  (eoual  (valve-downstream  (evu  valve-in))  nil))) 

(if  (equal  (valve-status  (eval  valve-ai))  ‘open) 

(do*((nO(l-i-n)) 

(valve-indal  (first  (valve-downstream  (eval  valve-in))) 

(nith  n  (valve-downstream  (eval  valve-in))))) 

((or  (equal  valve-ind^l  nil) 

(equl  flow-status  ’flow})) 

(if  (equal  (valve-counied  (eval  valve-indexl))  ‘fldse) 

(setf  flow-status  (check-for-flow  valve-indexl  flow-status))))) 


124 


(if  (equal  flow-status  nil) 

(do*  ((m  0  (1+  m)) 

(valve-inde;^  (flrst  (v^ve-upstream  (eval  valve-in})) 

(nth  m  (valve-iq>streain  (eval  valve-in))))) 

((O’  (equal  valve-index2  nil) 

(et^  flow-status  ‘flow))) 

(setf  flow-status  (check-fra'-flow  valve-index2  flow-status))))) 
(if  (and  (equal  (wflve-status  (eval  valve-in))  ‘open) 

(^ual  (valve-downstream  (eval  valve-in))  nil)) 

(setf  flow-stauis  ‘flow)) 
flow-status) 

(defun  oventressure  (aflected  trace) 

(self  (valve-in^t  (eval  affected))  ‘high) 

(if  (equal  trace  ‘true) 

(show-valve-siatus  affected)) 

(do*((nO(l+n)) 

(valve-index  (first  (valve-upstream  (eval  affected))) 

(ndi  n  (valve-iqtstream  (eval  affected))))) 

((equal  valve-index  nil)) 

(setf  (valve-ouQMit  (ev^  valve-index))  ‘high) 

(do*  ((m  0  (1+  m)) 

(valve-index2  (first  (valve-downstream  (eval  valve-index))) 

(nth  m  (valve-downstream  (eval  valve-index))))) 
((equal  valve-index2  nil)) 

(if  (not  (equal  (valve-input  (eval  valve-index2))  ‘high)) 
(overpressure  valve-index2  trace))) 

(if  (equal  (valve-status  (eval  valve-index))  ‘open) 

(overpressure  valve-index  trace)))) 

(defim  protMigate-valve-values  (affected  trace) 

(let  (flow-status) 

(when  (equal  (valve-status  (eval  affected))  ’open) 

(self  (v^ve-output  (eval  affected))  (valve-input  (eval  affected))) 

(if  (equal  trace  ’true) 

(show-valve-stams  affected))) 

(when  (espial  (valve-status  (eval  aflet^))  ‘shut) 

(sett  (valveoutput  (eval  affected))  ‘none) 

(if  (equal  trace  ’true) 

(show-valve-stams  affected)) 

(if  (equal  (check-for-flow  affected  flow-status)  nil) 

(oveipressure  affected  trace)) 

(do  ((current  *alph»;main-8team-stop*  (valve-next  (eval  current)))) 
((equal  current  nil)) 

(sett  (valve-counied  (eval  current))  ‘false))) 

(do*  ((n  0  (l-f  n)) 

(valve-index  (first  (valve-downstream  (eval  afiected))) 

(nth  n  (valve-downstream  (eval  affected))))) 

((equal  valve-index  nil)) 

(sett  (valve-input  (eval  valve-index))  (valve-output  (eval  affected))) 
(ptqjagaie-valve-^ues  valve-index  trace)))) 

(defun  alpha-boikr-update  (gone-thru) 

(let  (lepropraaie) 

(self  (boSer-fiid-piessure  *alpha-b(^er*) 

(valve-output  *alpiha-fuel-inanifold*) 

(boiler-air  *alpha-boilet*) 

(valve-output  *a4)ha-air-registers*)) 
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(if  (equal  (boiler-fuel-pressure  *ah)ha-boilei*)  ‘none) 

(sra  (boiler-fue-stabis  *alptia-boiler*)  ‘false)) 

(when  (and  (ecpial  (boiler-fire-siatus  *a]|:^-boiler*)  ‘false) 

(equal  gone-thiu  ‘false)) 

(self  (boler-steam-drum-inebure  *alpha-boilef*)  ‘low 
(boiler-superfaeaier-oullet-temp  *alpha-boil^)  ‘low) 

(if  (or  (equal  (valve-status  *alpha-dKiq)erheater-inlet*')  ‘men) 

(^ual  (valve-status  *aliriia-Riain-steam-stop*)  ‘open)) 

(setf  iqxopagate  ‘true)) 

(setf  gooe-lhru  ‘true)) 

(case  (valve-ouqxit  *alpha-inanual-ciieck-vlv*) 

(‘norm  (setf  (boila-water-level  *a4>ha-boiler*)  ‘nonn)) 

Cnooe  (setf  (boilCT-wata-level  *alplia-boilei*)  ‘low-al^)) 

(‘low  (setf  (teiler-waier-level  *alpha-boiler*)  ‘k>w-but-not-alaim)) 

(‘high  (if  (^  (equal  (valve-status  ^alpha-deaiperheater-inlet*)  ‘^ut) 

(equal  (valve-status  *alpha-inain-steain-stop*)  ‘shut)) 

(setf  (boiler-water-level  *alpha-boiler*)  ‘high-almn) 

(setf  (boiler-water-level  *alpha-boiler*)  ‘high-but-no-alann))) 

(otherwise  nU)) 

(if  (equal  (valve-input  *virtual-sh-outlet*)  ‘high) 

(sesf  (boiler-steain-dniin-pressure  *alptut-boiler*)  ‘safeties-lift-high)) 

(s^  (valve-input  *alpha-sareties*)  (boiler-steam-drum-pressure  *a$ha-boiler*)) 

(if  (equal  (valve-input  *alpha-safeti^)  ‘safeties-Uft-hi^) 

(setf  (valve-status  *alpl^safeties*)  ‘open) 

(setf  (valve-status  *alpha-safeties*)  ‘shut)) 

(when  (and  (equal  (boiter-steam-drum-pressw  *alpha-boiler*)  ‘safetits-lifl-high) 
(or  (eqt^  (valve-status  *alpha-desuperbeater-inlet*)  ‘open) 

(equal  (valve-status  *a]^ha-nuun-steain-stop*)  ‘open))) 

(if  (equal  (boiler-fue-staius  *al^ta-b(^ei*)  ‘false) 

(am  (boUer-steam-drum-pressure  *alpha-boile^)  ‘low) 

(setf  (bojler-steam-dnim-pressure  *alpha-boiler*)  ‘nonn)) 

(am  fqjfopagaiB  ‘true)) 

(setf  (valve-input  *viitual-sh-outlet*)  (boUer-steam-dnun-piessuie  *alpha-boiler*)) 
(list  lepropagate  gone-thru))) 

(defim  status-display(ievia6d) 

(if  (equal  revum  ‘true) 

(format  t‘*>>%Tlie  fdlowing  is  the  revised  status  of  your  plantr’O 
(format  t*‘~%The  flowing  b  the  current  status  of  your  plane”)) 

(format  t  ‘•-%-%-40tl  A 

(format  t  “WATER  LEVEI>40l-«'-%STEAM  I»UM  FRESSl}RE~4<k-a-'%’’ 
(boUer-water-level  *al4)ha-boilei*) 

(boiler-steam -dnan-oressure  *alDha-boiler*)) 

(format  t  “SUPERHEATQIOOT^  T^-40l^^FUEL  PRESSURE-4(X-<i~%” 
(bote-superiieaiBr-ciitlet-temp  *alpha-b(nler*) 

(boUer-fiiel-pfessure  *alpba-boiler*)) 

(format  t  ‘XXIMBI^ON  AIir-4()i-a>>%STATUS  OF  FIRES~4(k-8-%~%’’ 
(boiler-air  *alpha-boiler*) 

(boiler-fire-staius  *alpha-boiler*))) 

(defim  ptopagare  (valve-in  trace  gane-ihtu) 

(staius-diaTlw  ‘false) 

(format  t  ‘'-WThe  foUowing  b  a  valve  status  list'-%->%'0 
(do  ((current  *alpha-main-siBam-siop* 

(valve-next  (eval  current)))) 

((equal  ciarent  nil)) 

(format  t  ‘*-n-20t-a-%’* 

(valve-valve-id  (eval  cuirent)) 
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(valve-status  (eval  cuirent)))) 

(fonnat  t  “~%-a  status  has  been  changed.  Propagation  underway-%-% 
(valve-valvfr  -i  valve-in)) 

(if  (equ^  (valve-status  (eval  valve-in))  ‘open) 

(sra  (valve-status  (e^  valve-in))  ‘shut 
(valve-output  (eval  valve-in))  ‘none) 

(setf  (valve-status  (eval  valve-in))  ‘open)) 

Owtne^atevalve-values  valvein  trace) 

(let  vepropagaie) 

(setf  lepropagaie  (first  (alpha-boiler-updatc  gone-thru)) 
gone-thru  (second  (alpha-boiler-update  gone-thru))) 
(siatua-di^lay  ‘tnie) 

(if  (equal  iqtropagaie  ‘true) 

(propagate-valve-values  *vinual-sh-outlet*  trace))) 
gonethiu) 


(defun  boiler-model  (valve-in  trace) 

Get  ((gone-thru  ‘false)) 

(initialize-plant) 

(dolist  (element  (list  *viitual-sh-outiet* 

*alpha-air-shutters*  *fo-svc-pumpHlisch* 
*al{^feed-stop-valve*)) 
(propagate-valve-values  element  ‘false)) 

(pmpagatf.  valve-in  trace  gone-thru))) 


(defun  practice  0 

(propagate  ^alpha-main-steam-suqi*  ‘true 

(propagate  *alpha-desupertieater-in]et*  ‘true 
$oil<9'-model  •alpha-fuel-oil-control-valve*  ‘true)))) 
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APPENDIX  D  (MODEL  STRUCTURE  CHARTS) 
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■■■'task 

BODLER  MOHEL. 
STEAM  DRUM  MANAGER 


::jHOcedure 
BOILER  MODEL. 
INCREMENTAL.DECREASE 


BOa^ER^MODEL. 

LESSER_OF 


BOILER^MODEL. 

RUPTURED_TUBE_CHECK 


■  '::  SSSii-,:::.:.*|aak 

BCMIRJ^DEL. 

FIRES^MANAGER 


BOILEILMODEL. 

TUBEJ4ANAGER 
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■v^vtask'  i-. ' 

VALVES_ANDLPn>ING. 

PROPAGATE 


procedure 

VALVES_AND_PIPING 

PROPAGATE_VALVE_VALUES 


pfooedme 

VALVKjWJD_PJPING. 

CHEC1LPOR.FLOW 
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